A Contractor’s Worst Nightmare: A $200K Breach
The nature of the cybersecurity incident in this contracting company highlights several crucial points. Firstly, the company maintained a relatively small amount of money in their bill pay bank account associated with QuickBooks Online (QBO) as a precaution against potential theft. However, this incident demonstrates that cybersecurity threats can extend beyond monetary theft and have far-reaching consequences.
The owner of the company fell victim to a Remote Access Trojan (RAT) attack, which allowed cybercriminals to gain unauthorized access to her laptop computer—the sole computer used by the company. The attackers installed a keylogger and were able to gather information related to multiple accounts, including the owner’s credentials for QBO. Although the owner had implemented multi-factor authentication (MFA) for her QBO account, the session tokens stolen by the hackers enabled them to bypass the login and MFA requirements.
Upon discovering the fraudulent payment and the breach, the owner took some immediate actions. She reset her laptop by reinstalling Windows, which unfortunately hindered any chance of a thorough forensic investigation to determine the full extent of the breach. She also reset all her passwords for various accounts. However, she did not execute a proper data breach response, such as notifying potential breach victims or seeking professional assistance, before wiping out the hard drives.
As time passed, the owner received threatening emails from the hacker, indicating that they had access to her breached data. Realizing the severity of the situation, she sought help from an incident response specialist. However, since there was no immediate technical response required, the specialist referred her to a data breach attorney, given the potential legal implications.
The estimated cost of the breach response and notification services through a provider like Experian was approximately $149,000, considering the number of records known to have been exposed in the QBO breach. Additionally, the minimum fee for breach counsel from the attorney was $55,000. These expenses provide a glimpse into the financial impact of the incident, excluding any penalties, fines, or potential criminal charges for attempting to cover up the data breach initially.
This incident serves as a reminder that cyber vulnerabilities go beyond the immediate financial risks associated with bank accounts and transfers. The protection of data, even when stored in the cloud, remains the responsibility of the company. Once unauthorized access to a system occurs, it must be assumed that sensitive information has been compromised, warranting appropriate measures such as data breach notifications, legal support, and potential ransom or extortion payments.
Overall, this incident highlights the importance of proactive cybersecurity measures, timely incident response, and proper data breach protocols to mitigate the impact and potential legal ramifications of a cyber attack.
UPDATE: Since this article was written, the agency has recovered from the breach, completed their notifications and other legal obligations. However, being an insurance company who actually sells small businesses Cyber Liability Insurance, they had a $3M policy to cover them for cyber attacks like the one written about in this article. Because the digital forensics investigation revealed the methods of the attacker(s) and the measures that were in place at the time of the attack, it was discovered that several measures that were required by the policy had not been maintained or properly implemented. As a result, the insurance carrier denied the agency’s $742,000 claim and required them to pay for services rendered by the insurance company themselves in assisting with the breach response amounting to more than $70,000. It’s telling when you consider the fact that even a team of insurance experts with a managing partner who is an attorney as well can end up in a situation like this simply because they thought their IT company “had them covered”.
In the fast-changing world of technology, businesses face increasingly sophisticated threats. This article examines a real-life social engineering attack on a large insurance agency, highlighting the tactics employed by the cybercriminal and the subsequent impact on the company. By analyzing the incident and the measures taken to address it, we aim to shed light on the importance of robust security practices and the lessons learned from this unfortunate event.
Overview of the Incident:
The cybersecurity incident unfolded when a criminal posed as a cybersecurity consultant and contacted the insurance agency, soliciting information about their IT support. The receptionist, unaware of the deception, willingly shared details about the agency’s IT provider and their main contact. Armed with this information, the criminal later targeted a new employee who had recently joined the company. Using the employee’s publicly available information on LinkedIn, including her job details and start date, the attacker gained her trust.
During a lunchtime call, the criminal convinced the inexperienced employee to grant remote access to her computer, claiming to address a “maintenance issue.” The criminal then asked her if she wanted to head out for lunch sinc he wouldneed to use the computer for about an hour anyway. She thanked him and left the office leaving him unattended with remote access to her computer. Seizing the opportunity, the attacker accessed network shares, uploaded information to his cloud storage, planted remote access tools, and deployed ransomware to encrypt files on the network share. Although the ransom was not paid due to the agency’s immutable backup, they did suffer data loss of three days’ worth of information due to an undetected backup failure.
Immediate Consequences and Cost of the Breach:
The agency faced several immediate consequences as a result of the breach. Since personally identifiable information (PII) was accessed on the compromised network share, they had to undertake a digital forensics and incident response (DFIR) project. Additionally, the agency hired a data breach lawyer and incurred significant expenses associated with data breach notification letters sent to all affected individuals.
In terms of costs, let’s consider the following estimates for this breach:
DFIR project: $50,000
Data breach legal counsel: $75,000
Data breach notification for 30,000 records with non-medical PII: $626,750
Additional remediation costs and incident response efforts: $50,000
Total estimated cost: $801,750
Reasons for Changing Managed Service Provider (MSP) to Managed Security Services Provider (MSSP):
This incident prompted the insurance agency to terminate their relationship with the MSP and engage an MSSP that specializes in cybersecurity.
Lack of Identity Verification Protocols: The MSP did not have proper identity verification protocols in place, allowing the hacker to manipulate the employee by impersonating a consultant. An MSSP ensures strict identity verification procedures for all interactions.
Inadequate Application-Based Zero Trust: The MSP did not implement application-based zero trust architecture, which would have prevented unauthorized software installation and restricted access to critical systems. An MSSP prioritizes robust zero trust frameworks.
Insufficient Access Control: The MSP did not enforce proper access control measures, allowing the attacker to exploit the employee’s elevated privileges. An MSSP emphasizes the principle of least privilege to limit access authority and minimize potential damage.
Comprehensive Security Awareness Training: An MSSP provides thorough security awareness training to educate employees about social engineering tactics and the importance of maintaining confidentiality.
Proactive Backup Monitoring and Testing: An MSSP ensures real-time backup monitoring and frequent testing to guarantee the integrity of backups, minimizing the risk of data loss.The social engineering attack on the insurance agency serves as a sobering reminder of the importance of robust cybersecurity practices. By learning from this incident, organizations can enhance their security posture and protect themselves against evolving threats. Implementing identity verification protocols, application-based zero trust frameworks, access control measures, comprehensive security awareness training, and proactive backup monitoring can significantly reduce the risk of social engineering attacks and mitigate the potential impact of a breach.
