In the space of just a few hours late last week I saw four separate security-related articles pop up in different publications, specifically covering news about organizations that had been hacked. I’m the first to admit that headlines of large-scale breaches don’t surprise me these days, but I was struck by the depth and breadth of these attacks, and the types of organizations they targeted.
What grabbed my attention? This treasure trove of news.
- U.S. gas pipeline was shut down for two days by ransomware
As reported in ZDNet, Ars Technica and other publications, the U.S. Department of Homeland Security released a CISA alert stating that a natural gas pipeline somewhere in the U.S. had to be shut down for two days due to a ransomware attack. Employees at the company’s gas compression facility were sent malicious ‘spear-fishing’ messages, which gave the attackers access to their Windows-based computers. Once the attack was discovered, the company moved to shut down “the entire pipeline asset.”
DHS concluded that the attack was successful in part because the unidentified organization was not prepared for an attack of this nature. Instead of focusing its emergency preparedness on cyberattacks, it focused on physical attacks. In addition, the company “failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks.” In other words, it didn’t separate its IT infrastructure from its operational network. This attack may not have been avoidable, but the general lack of preparedness and the inability of senior staff to take decisive action is far from reassuring.
- Breach at the Department of Defense
TechCrunch, BBC and other outlets revealed another embarrassing breach last week. DISA, the Department of Defense’s Defense Information Systems Agency, reported that its network ‘may’ have been compromised. This agency has a staff of approximately 8,000 military and civilian employees, but it is tasked with providing IT and communications support to the U.S. government. That includes communications for an enormous number of people, including the president and other senior government and military officials.
In response to the breach, which is believed to have taken place in the summer of 2019, the agency sent letters to possible victims this month. According to reports, the names, social security numbers and other personally identifiable information of up to 200,000 people may have been exposed. Andy Piazza, a US veteran and cyber threat analyst, was one of those exposed in the hack. He posted the February 11 letter from DISA on his Twitter account (here).
Given DISA’s stated vision to be “the trusted provider to connect and protect the war fighter in cyber-space,” and its important position within the military apparatus, it’s hard to have confidence in the agency’s capabilities if it took this long to find and remediate such a significant breach.
- ISS World employees offline due to ransomware attack
With half a million employees worldwide, ISS World is a major provider of cleaning, catering, security and other facilities and business services to companies around the world.
On February 19, the company announced that it had disabled shared IT services across all of its sites in all countries to isolate a breach. Although the company claimed to have identified the root cause of the attack, email and other internal communications were disrupted for several days.
Details are scarce, but the attack on ISS World is believed to have originated as a ransomware attempt, which typically tries to lock employees out of their own network by encrypting IT systems and demanding money to retrieve the data. As we saw in 2019, attacks like these were particularly successful against many state and local government agencies, but can inflict a lot of damage on private organizations, too.
- MGM hack exposed personal data of more than 10.6 million guests
Last but not least, the names, addresses, birth dates, email addresses and phone numbers of more than 10.6 million MGM Resorts guests was exposed in a large data breach. Among the hoard of data, the personal details of many celebrities like Justin Bieber, tech CEOs like Jack Dorsey, journalists, government officials and employees at many of the world’s largest technology companies were scooped up.
According to ZDNet’s exclusive reporting, the security incident took place in 2019. A hotel spokesperson commented that the chain had “promptly notified all impacted hotel guests in accordance with applicable state laws.”
MGM’s response may sound reasonable, but there’s a problem with this statement. Talking about ‘applicable state laws’ conveniently fails to mention that only certain U.S. states actually require affected customers to be notified in cases like these. Yes, the company may be complying with state laws, but only having to inform hotel guests in certain states makes absolutely no sense. It doesn’t take much to imagine that these hotel guests – who trusted MGM with their information –now face a greater risk of future attacks. They could easily become the target of spear-phishing attacks or SIM swapping schemes, for example. And yet, MGM may not even be required to inform some of them of this risk, simply because of weak state laws.
Not Good Enough
Even with massive investments in security hardware and software, organizations that think they’re immune to cyberattacks are being incredibly naïve. If an organization hasn’t been breached, yet, then it probably will be at some point. I’d even hazard a guess that most prominent, ‘well-protected’ organizations have already been breached and may not even know it.
Protecting our data from the increasingly sophisticated barrage of threats is becoming more challenging for every organization. There’s no silver bullet, but companies that store our personal information pay too much lip service to the fact that they ‘value’ that information. Do they really? Or is it time for more states to implement laws like GDPR or the California Consumer Privacy Act (CCPA). Laws like these won’t stop hackers, but they will (hopefully) make companies more aware of the financially painful consequences they face for not taking better care of our information.
When we see breaches like these occurring on an almost daily basis, we know it’s time for a genuine shakeup.