Thousands of small business owners reeling from the aggressive measures taken to halt the spread of the coronavirus may have had their personal information exposed last month on a government website that handles disaster loan applications.
I was just thinking about the biggest breaches we’ve had in history, from companies like Adobe, LinkedIn, Equifax, Marriott, Target, etc., and wondering how badly they’ve been affected long-term.
Stock price doesn’t tell the full story of whether something impacted a company.
I’m wondering one specific thing about these top companies with the biggest breaches: What percentage of companies that were top-three in their industry, were dropped out of their top-three spot as a result of their incident?
Here’s the list I’m looking at, which may not be perfect.
I removed Yahoo and eBay because they were dying due to market forces unrelated to security breaches, and OPM because it’s part of the government.
- Home Depot
By my count, every single one of these companies has maintained its industry-leader position years after the incident. So the answer to the question of “what percentage lost their leadership position?” seems to be a big fat:
None. Out of these six—and I’m sure I’m forgetting some—they’ve all maintained their dominant position as if nothing ever happened.
There are of course many smaller companies—and especially startups—that had a bad incident early on and went out of business because of it. But that seems to be a case of chasing away investors more than the stock market or customers.
It’s just interesting to me that Adobe is still the market leader. Marriott is winning at the hotel Game of Thrones more than ever. Equifax is annoyed, I’m sure, but their position as an industry leader hasn’t been shaken as far as I can tell.
Target? Still #2 to Walmart in that space. Home Depot? Yep, still doing their thing and either #1 or #2. LinkedIn is just fine as well.
So why did I bother to notice this, or point it out?
It just seems really interesting to me that for top-N industry leaders, both stock price and competitive position seem immune in the long-term to even the largest breaches that we’ve seen.
That doesn’t mean it doesn’t cost them money. And effort. And the opportunity cost. So it’s not pleasant or desirable or cheap for this to happen.
But it also doesn’t seem to be an existential risk for top companies, which is a belief that many people still hold.
I think lots of CEOs and CISOs and security teams proceed every day under the assumption that a big breach could be the end of their entire company. And maybe that’s best. Maybe people become good at their jobs—regardless of what it is—by convincing themselves that it’s more important than the reality.
But I can’t help but be intrigued by disconnects like this, where the general opinion among practitioners is divorced from the actual case.
Curious what others think—both about my assessment of infosec’s collective opinion on the existential threat, and about the overall analysis of how much mega-breaches affect mega-companies.
If you like my content, you can support it directly for less than a latte a month ($ 50/year) which also gets you the Unsupervised Learning podcast and newsletter every week instead of just twice a month.
Reporting on the exposure of some 26 million stolen credit cards leaked from a top underground cybercrime store highlighted some persistent and hard truths. Most notably, that the world’s largest financial institutions tend to have a much better idea of which merchants and bank cards have been breached than do the thousands of smaller banks and credit unions across the United States. Also, a great deal of cybercrime seems to be perpetrated by a relatively small number of people.
In September, an anonymous source sent KrebsOnSecurity a link to a nearly 10 gb set of files that included data for approximately 26 million credit and debit cards stolen from hundreds — if not thousands — of hacked online and brick-and-mortar businesses over the past four years.
The data was taken from BriansClub, an underground “carding” store that has (ab)used this author’s name, likeness and reputation in its advertising since 2015. The card accounts were stolen by hackers or “resellers” who make a living breaking into payment card systems online and in the real world. Those resellers then share the revenue from any cards sold through BriansClub.
KrebsOnSecurity shared a copy of the BriansClub card database with Gemini Advisory, a New York-based company that monitors BriansClub and dozens of other carding shops to learn when new cards are added.
Gemini estimates that the 26 million cards — 46 percent credit cards and 54 percent debit cards — represent almost one-third of the existing 87 million credit and debit card accounts currently for sale in the underground.
“While many of these cards were added in previous years, more than 21.6 million will not expire until after October 2019, offering cybercriminal buyers ample opportunity to cash out these records,” Gemini wrote in an analysis of the BriansClub data shared with this author.
Cards stolen from U.S. residents made up the bulk of the data set (~24 million of the 26+ million cards), and as a result these far more plentiful cards were priced much lower than cards from banks outside the U.S. Between 2016 and 2019, cards stolen from U.S.-based bank customers fetched between $ 12.76 and $ 16.80 apiece, while non-U.S. cards were priced between $ 17.04 and $ 35.70 during the same period.
Unfortunately for cybercrime investigators, the person who hacked BriansClub has not released (at least not to this author) any information about the BriansClub users, payments, vendors or resellers. [Side note: This hasn’t stopped an unscrupulous huckster from approaching several of my financial industry sources with unlikely offers of said data in exchange for bitcoin].
But the database does have records of which cards were sold and which resellers (identified only by a unique number) supplied those cards, Gemini found.
“While neither the vendor nor the buyer usernames appeared in this database, they were each assigned ID numbers,” Gemini wrote. “This allowed analysts to determine how prolific certain threat actors were on BriansClub and derive relevant metrics from this data.”
According to Gemini, there were 142 resellers and more than 50,000 buyers of the card data sold through BriansClub. These buyers purchased at least 9 million of the 27.2 million cards available.
One reseller in particular (ID: 174,829) offered just shy of 6 million records, posted for $ 106 million. Of those, almost 940,000 were sold, grossing over $ 16 million in profits shared between BriansClub and the reseller. In the quote below, a “base” refers to a distinct batch of freshly-stolen card data uploaded to BriansClub.
“For context, the collective price for the entirety of exposed BriansClub records was $ 566 million, while the total dollar amount of all sold records exceeded $ 162 million,” Gemini noted. “The top 20 buyers bought 5% of the entire set of records in this shop, while the top 100 buyers accounted for 11%. The shop had a total of 11,000 bases, with most vendors uploading multiple bases.”
All of the 26 million+ card records leaked from BriansClub were shared with multiple trusted sources that work directly with financial institutions to inform them when their customers’ cards go up for sale in the cybercrime underground.
Banks at this point basically have three options. Ignore the report and hope for the best. Cancel the card and reissue. Or monitor the card more closely and place tighter fraud controls on that account.
But here’s the thing: Not all banks got the data at the same time. The larger banks got it first and largely shrugged. At least according to anti-fraud sources at two large U.S.-based financial institutions: Their anti-fraud teams had already identified 90-95 percent of the cards as potentially compromised in one of hundreds of breaches since 2015, mostly those involving malware inside point-of-sale retail checkout systems.
The sources I spoke with at smaller financial institutions found out about the cards they’d issued to customers that wound up in the BriansClub data by receiving alerts last week from Visa and MasterCard. Most of those sources seemed genuinely surprised at the number of cards exposed, and two sources at different credit unions each estimated they were previously unaware of about 80 percent of the cards listed in the alerts from the credit card companies.
Also, smaller financial institutions are far more likely to eat the cost of re-issuing cards at risk of fraudulent use than are larger institutions, which typically have much a higher tolerance for financial losses from counterfeit card fraud. So far, however, there is no evidence this flood of card data intelligence is causing much of a stampede for re-issuing cards.
Visa maintains that smaller financial institutions receive the same alerts sent to larger banks about cards thought to be exposed in specific breaches. The alerts include cards specific to each bank, but smaller banks are often limited in the resources they have available to do much with the reported card data, aside from re-issuing the card.
Gemini CEO and co-founder Andrei Barysevich said so far the feedback from the banks has been all over the place.
“While the larger US banks told us that most of the cards have been previously flagged as compromised, the mid and small size financial institutions were caught completely off-guard,” he said. “As to the European and Asian banks, to them the data was mostly new, in some cases upwards of 60% of cards were still open and active.”
I thought perhaps the card associations could provide some meta-statistics on the BriansClub dump, but also those hopes were dashed. MasterCard did not respond to requests for comment. Visa declined to share any information related to the BriansClub database (even though they got it indirectly care of Yours Truly), but issued the following statement:
“As part of our core mission to ensure security across the payment system, we are very aware of carder forums and other criminal enterprises. Visa continuously invests in intelligence and technology to detect cyber threats and works with law enforcement, clients and other partners, to mitigate and disrupt such threats.
“Whenever we discover compromised account information, Visa uses its payment intelligence and investigative capabilities to determine the source. We also work with our financial institution clients to provide card issuers with the compromised account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, by reissuing cards. Incidents such as these reinforce the need for secure technologies such as chip and tokenization to devalue account information so that even if stolen, data cannot be leveraged for fraud.””
Gemini found that exactly two-thirds of the stolen cards (66.6 percent) siphoned from BriansClub were Visa-branded, and 23 percent MasterCard. A full 85% of the total records were EMV (chip) enabled, with the remaining 15% using only a magnetic stripe.
One final note: The Gemini report also challenges claims made by the administrator of BriansClub, namely that he removed the breached cards from his online store and that the data leak stemmed from a breach in February as his site’s data center.
“While the administrator of BriansClub, operating under the moniker ‘Brian Krebs,’ claimed that the breach took place in February 2019, this appears to be false,” Gemini observed in its report. “The number of records from South Korea corresponds to a previous spike in South Korean records that occurred from March 2019 through July 2019. If BriansClub were breached in February, the South Korean-issued cards would number under 10,000 rather than over 1 million.”
The report continues:
“This threat actor also claimed to have removed the compromised records from the shop. Gemini has found this claim to be false as well. Since BriansClub offers a ‘checker service’ for all purchased records to determine whether compromised payment cards are still open, it may be unnecessary to remove the cards. The shop likely assumes that even if the banks received the compromised card data from this breach, they are unlikely to close down and reissue every single card.”
Reading Time: ~ 2 min.
Bed, Bath, & Beyond Data Breach
An official announcement made earlier this week acknowledged illicit access to customer data used in online accounts for Bed, Bath, & Beyond. While the breach didn’t affect payment card information, the retailer quickly began contacting affected customers and took steps to safeguard against future incidents.
Johannesburg Shutdown After Cyber Attack
Three months after a cyber attack hit Johannesburg, South Africa, the city is once again dealing with network outages. After a ransom note was posted to several social media outlets, city officials are still attempting to downplay the attacks by claiming they purposefully took down the sites rather than them being ransomed by hackers. In addition to the ransom note, hackers also posted screenshots proving their control over the city’s network systems and their expectation of payment.
UniCredit Financial Data Leak
Officials working for UniCredit, an Italian banking firm, announced that unauthorized access to their systems has left the sensitive information of nearly 3 million Italian exposed. Fortunately, the stolen information did not include any financial data, but did contain personally identifiable information such as names and contact details. It is unclear how hackers gained access to the data, though it appears the data may have even been taken years earlier in prior security breaches faced by the firm.
Ransomware Shuts Down New Mexico School District
Las Cruces Public Schools, a New Mexico school district, was forced to take their entire system offline following a ransomware attack. While email and other important services are still offline, students have still been attending classes as normal, though the process of fully remediating the incident has just begun. It is still unclear how the attack was initiated, but it’s the latest in a long line of educational institutions that have fallen victim to ransomware this year.
Malware Attack on Indian Power Plant
It has been confirmed that both an Indian nuclear power plant and another piece of infrastructure have fallen victim to a malware attack apparently tied to North Korean actors. Fortunately, the attacks did not allow unauthorized control of the systems, though this attack may have been only a test to determine security and response times in preparation for a larger, future attack.
The post Cyber News Rundown: Bed, Bath, & Beyond Data Breach appeared first on Webroot Blog.
Retrieval-Masters Creditors Bureau, the company that operates healthcare billing services provider American Medical Collection Agency (AMCA), has filed for Chapter 11 bankruptcy due to a recent data breach affecting millions of individuals.