By now, there isn’t a single business entity that doesn’t need to worry about shoring up cybersecurity. Most recently, a highly visible tech giant and governments big and small fell victim to external attacks in August, while a New York bank sought justice for an inside job.
With cybercrime targeting institutions of all sizes and disciplines, the need for constant protection remains as evident as it is elusive. Let’s run down a few notable breaches from the past month.
August 2021’s Most Newsworthy Cyberattacks
Hacker Steals Data From Millions of T-Mobile Customers
Telecommunications giant T-Mobile had the dubious distinction of the month’s most publicized data breach after an August 4 attack netted a stunning amount of customer data for a solo hacker. More than 40 million current, former, and even prospective T-Mobile customers had personal information including names, birthdates, social security numbers, and ID numbers pilfered, with about 850,000 others also having their PINs and phone numbers exposed.
In early September, authorities revealed that a 21-year-old hacker named John Binns had taken credit for the attack. Binn, an American currently living in Turkey, claims he was able to breach T-Mobile’s system via an unprotected router and a flaw in the company’s internet addresses.
At the time of writing, it remains unclear what Brinns did with the stolen data. T-Mobile, meanwhile, is offering affected customers free identity theft protection and is reportedly preparing to deal with a sizable class-action lawsuit.
Records Exposed: Personally identifiable information, including names, social security numbers, PINs, and more
Type of Attack: Router exploit
Date of Attack: August 4, 2021
Location: Bellevue, Washington
Key takeaway: Yet again, a major tech company that really should know better finds itself on the wrong end of the fight in cybersecurity. That an attack this massive appears to be the work of a single hacker is all the more concerning. In an industry as competitive as mobile communications, this is simply an inexcusable oversight.
U.S. State Department (Unofficially) Hit by Cyber Attack
In frustratingly vague news of possible cybercrime, several outlets reported on a late August cyber attack on the U.S. State Department. Details of the attack are hard to come by. An official spokesperson declined to confirm the story, saying instead that: “For security reasons, we are not in a position to discuss the nature or scope of any alleged cybersecurity incidents at this time.”
The Department did confirm there were no interruptions in service or any interference with the department’s ongoing mission to evacuate Americans and refugees from Afghanistan.
Regardless of its severity, this attack underscores the vulnerability of government data online and reinforces the findings of an August report by the Senate Homeland Security and Governmental Affairs Committee on continuing cyber risk. That report found massive cybersecurity failings in a number of federal departments, including the State Department. I
n the meantime, the State Department’s lack of transparency regarding this breach seems unlikely to do anything to stave off speculation about who was responsible, what data was accessed, and when it might happen again. Considering that the Parliament of Poland also suffered a very public breach executed by Russian hackers in August, U.S. officials can’t be too careful.
Records Exposed: Undisclosed
Type of Attack: Undisclosed
Industry: Federal government
Date of Attack: Mid-August, 2021
Location: Washington, D.C.
Key takeaway: In business as well as government, transparency is a good rule of thumb for dealing with cyber attacks. As one security expert said about the State Department incident, “There’s no shame in being attacked, and disclosing it properly is laudable.” In fact, downplaying or being evasive about an attack can lead to worse reputational damage by giving the public reason to suspect something occurred that is being covered up.
Disgruntled NYC Employee Wipes out Banking Data
Customers of a New York City credit union got an unfortunate taste of third-party revenge when a recently fired credit union employee destroyed sensitive data on her way out the door. Court documents show that Juliana Barile pled guilty in late August to charges related to an incident following her dismissal from her part-time job.
Barile was let go from the unnamed credit union on May 19, but her security clearance was not immediately revoked. That allowed her to log back into the bank’s file server for 40 minutes on May 21, which was enough time for her to delete 21GB of customer data from the credit union’s system. Destroyed records included around 21,000 files and 3,500 directories. The bank is currently working to restore what records it can and make restitutions for those it can’t.
Records Exposed: Banking information stored on a shared server
Type of Attack: Record deletion by an inside actor
Date of Attack: May 21, 2021
Location: Brooklyn, New York
Key takeaway: Every day, we entrust our most sensitive data to dozens if not hundreds of people we’ll never meet. When one of those people goes rogue, we hope that the institutions designed to limit the potential damage are up to the task. That includes immediate restriction of access to sensitive accounts for any individual no longer employed by the organization.
BEC Attack Scams New Hampshire Town out of $2.3 Million
The small town of Peterborough, New Hampshire suffered an unexpected and devastating financial downturn as it was exploited in an email scam.
In two separate August incidents, an unknown overseas group faked an official-looking email thread that instructed the town’s financial officials to send scheduled payments intended for a construction firm and the local school system to a different bank account than usual. By the time the spoofing was exposed, $2.3 million of taxpayer money was in the pockets of cybercriminals.
In perhaps an example of just how commonplace this kind of attack has become, the commissioner of the state’s Department of Information Technology expressed little surprise concerning the theft. Dennis Goulet told the Concord Monitor, “Ransomware is getting all the news, but there is still the risk of business email compromise—BEC—which is really focusing around this type of activity.”
Goulet also noted the theft might have been averted with a simple phone call to confirm the banking change, but acknowledged that isn’t necessarily a reasonable expectation in an era where online transactions are the rule.
Records Exposed: Banking information and deposits
Type of Attack: Business email compromise
Industry: Municipal government
Date of Attack: Mid-August 2021
Location: Peterborough, New Hampshire
Key takeaway: As the commissioner notes, because of the heightened awareness around ransomware these days, less attention being paid to other forms of cybercrime. Business email compromise attacks and other forms of phishing are alive and well.
In fact, nearly $2 billion has been lost to BEC scams in the past year alone. Clearly these attacks still demand constant vigilance from security teams.
From solo hackers to foreign collectives to disgruntled employees, cybercriminals come in every stripe. The range of threats to businesses today goes well beyond what the cybersecurity solutions of yesteryear are equipped to handle. With attacks coming from all angles, today’s organizations need comprehensive security systems that can protect them from inside, outside, and anywhere bad actors might lurk.