What Do December Breach Announcements Point Out
First it was Marriott. The breach of Marriott’s Starwood division systems exposed data on 500 million clients and triggered multiple lawsuits and investigations.
That breach was four years in the making and across two different management teams – first at Starwood and then at Marriott.
Undetected.
This week 1-800-Flowers announced that it too was breached. The Canadian division’s web site was breached. In 2014. They detected the breach in September 2018, four years into it.
Undetected.
How do hackers remain inside the systems of large companies for four years?
Were the hackers targeting Marriott or 1-800-Flowers? Probably not, but once they got in they probably thought they went to hacker heaven.
If hackers can do that to large companies, what about small companies?
Bottom line is that smart hackers want to stay in your system for as long as possible to maximize the “value”.
If you are stealing only credit cards, you can’t wait too long because credit cards expire. In the Marriott case, which is now linked to hackers working for the Chinese, they stole a lot of other useful information for identity theft that has a much longer shelf life.
Also, it seems to be taking Marriott a long time to figure out what was taken. I am not clear that they even really know now.
Big companies already know that they are target of attackers, but so are small companies.
As companies increase the use of cloud based systems, detecting the attacks could be harder.
Are you asking your cloud providers – all of them – who is responsible for detecting breaches? I bet for many providers, they will say it is you. And who responds to them?
Are you ready to respond to an incident. Including figuring out what you are going to say on social media and how you are going to respond to social media chatter. Sometimes that chatter can get pretty brutal.
Companies need to prepare for and test how they are going to respond.
Small companies say it won’t happen to them, but, while the Marriott and 1-800-Flowers type of breaches get lots of press, the vast majority, by numbers, of breaches happen to companies with a few employees up to a couple of hundred employees.
Both of these breaches were outed when the companies reported the breaches to authorities, so if you think you are going to keep your breach quiet, that is likely impossible unless it is really small.
Get prepared, stay prepared and be thankful if you don’t have to activate that preparation.
Information for this post came from Threat Post.