We’ve made it through spooky season once again, but there is still plenty of scary business unfolding in the world of cybersecurity.
October offered several useful cautionary tales for organizations, including a company that took fast action and averted a threat, one that overlooked a security gap for far too long, another that offered a crucial reminder about improper conduct, and one more that … well, we’re not quite sure what the heck happened with that one.
Read on to get the scoop on four of the most notable moments in cybersecurity from the past month.
October’s Biggest Cyber Attacks
Lloyd’s of London Moves Fast and Isn’t Hacked
As you might expect of a company whose name is synonymous with insurance in the United Kingdom, Lloyd’s of London acted with an abundance of caution when faced with a possible cyber attack. In a rather confusing series of events, Lloyd’s reported on October 6 that its security systems had detected “unusual activity” on its network. The company moved swiftly, shutting down all external connectivity immediately.
Lloyd’s spent the next several days conducting a thorough cybersecurity investigation with both its in-house team and two third-party security companies.
On October 12, the company announced that no compromise was found and began restoring all of the offline services. While Lloyd’s has not publicly addressed the nature of the possible breach attempt, expert observers say this has the earmarks of a failed ransomware attack.
Records Exposed: None
Type of Attack: Suspected ransomware attempt
Date of Attack: October 6, 2022
Location: London, UK
Key Takeaway: You know what they say about an ounce of prevention?
This voluntary shutdown may look like overkill at first glance — it can’t have been inexpensive for Lloyd’s to shut down its connected network for several days — but it’s hard to argue with the results.
A successful ransomware attack on such a high-profile target would likely have been far more costly and embarrassing. That Lloyd’s brought in multiple outside cybersecurity teams to aid in the investigation speaks well of the company’s commitment to data security.
Toyota Exposes Itself for Five Years
Sometimes a company just makes things too easy for bad actors.
In an October 7 announcement, Toyota acknowledged that a contractor had inadvertently posted a section of code on a public GitHub repository that could potentially allow third parties to access a hardcoded data server containing customer information … in 2017. That means this door to valuable customer data was left open for five years before anyone at Toyota noticed it. Whether or not any sharp-eyed criminals spotted it in that time is anyone’s guess.
Fortunately, it appears that the data exposed was limited to around 300,000 customer identification numbers and email addresses.
Even so, this is the latest in a string of similar GitHub slip-ups coming from high-profile businesses such as Samsung, Nvidia, and Twitch which speaks to a larger security problem when it comes to major businesses and Git repositories.
Records Exposed: Data server access
Type of Attack: Exposed code
Date of Attack: September 2017 to October 2022
Key Takeaway: The big issue here is less about the data exposed and more about the fact that it could sit in the open for half a decade.
Giant companies like Toyota simply can’t keep an eye on every facet of their operations at all times, but the fact that such a potentially damaging mistake is that easy to overlook for that long speaks to a need for tighter controls somewhere in the system.
Ferrari Loses Data but Denies a Breach
OK, so here’s what we know for sure: On October 2, a known ransomware gang posted 7GB of internal information from Ferrari to its leak site, claiming to have breached the high-end automaker.
Here’s what we don’t know: How exactly they got their hands on that information.
While Ferrari acknowledged that the posted data — which reportedly included contracts, invoices, and other business materials — was legitimate, the company denied that it suffered a ransomware attack or any other kind of external data breach.
A Ferrari spokesperson told reporters that “there has been no disruption to our business and operations. The company is working to identify the source of the event and will implement all the appropriate actions as needed.”
The Record reports that the notoriously malicious RansomEXX gang has taken credit for the theft, but also that the group made no specific demands and has previously been accused of lying about and exaggerating attacks. (It’s almost as if these are dishonest people.)
As of this writing, the question of how the Ferrari data ended up in their hands remains unanswered.
Records Exposed: Internal business documents
Type of Attack: Ransomware? Maybe?
Date of Attack: October 2, 2022
Location: Maranello, Italy
Key Takeaway: This is an odd one, and it illustrates the tricky reputational stakes of a ransomware attack. Whether or not Ferrari was breached, that data is indisputably online and in the hands of known cybercriminals. It’s hard for a casual observer not to be suspicious of the company’s denial.
Is that fair to the victim company? Probably not, but reputation management isn’t always fair.
Uber Exec Takes a Fall in Cybercrime Coverup
In cybersecurity terms, 2016 seems like a very long time ago. And it really is, in many ways.
The October conviction of a former Uber executive illustrates how security measures have become much more diligent in the past six years, how much ransomware attacks have moved into the mainstream in that time, and the very real consequences companies can face for intentionally mishandling them.
In 2016 Uber was hit with a data breach that put the personal information of 57 million Uber customers in the hands of cybercriminals. Rather than informing the impacted customers of the breach and helping them restore their data privacy, Chief Information Security Officer Joseph Sullivan orchestrated a plan to pay off the thieves and keep the breach quiet from both the affected users and the Federal Trade Commission.
In October, Sullivan was found guilty of obstructing FTC proceedings and failing to report a felony, in what is thought to be the first criminal conviction of a C-suite executive in this kind of cybercrime case.
Records Exposed: Personally identifiable customer information
Type of Attack: Ransomware
Date of Attack: September 2016
Location: San Francisco, CA
Key Takeaway: The Washington Post notes that this may end up being a fairly unique case, as the explosion of ransomware in the past several years has made dealing with this kind of crime a standard part of most companies’ business models. Even so, Sullivan’s conviction underlines the importance of transparency, communication, and proactive planning for worst-case scenarios.
As you can see from this month’s roundup, threats to your company’s security can come from within, from without, and from parts unknown.
Investing in a full-service suite of cybersecurity solutions with dedicated 24×7 monitoring, detection and response capabilities is the surest way to guard against the full scope of threats in our ever-evolving online landscape.