As threats to data security grow, how can organisations mitigate the risks?
No business is completely immune to data breaches
It doesn’t matter how secure your cyber defences, or how robust your IT patch management processes, there are many ways that fraudsters can access and exfiltrate your data for criminal purposes.
Cybercriminals might access your customers’ data through systems used by your supply chain, or outsourced partners, whose defences may not be as robust as yours. They could gain access when an employee inadvertently clicks on a link in a phishing email. Or they could exploit an as-yet unpatched vulnerability in the software or systems used by you or your suppliers. The complex web of data interactions between businesses, suppliers, partners and IT systems means that no data can ever be considered 100% safe.
In research we carried out in December 2021, 78% of organisations surveyed had experienced a data breach of customer information in the previous 18 months – and 39% had been hit more than once.
Data theft on a global scale
The recent vulnerability of the MOVEit file transfer protocol provides a sobering demonstration of the widespread damage and disruption that can be caused by this type of attack. MOVEit is used by organisations worldwide to securely transfer sensitive data. When a ransomware firm exploited a vulnerability in the software, they were able to steal vast amounts of confidential data and demand ransoms from its owners. The number of organisations known to be affected is currently more than 1,000, and the number of impacted individuals exceeds 60 million[1].
What is MOVEit?
MOVEit is a managed file transfer protocol created by Ipswitch, Inc. Used by a wide range of companies across the public and private sector, it was hacked in May 2023 by a group called CL0P who gained access to sensitive personal data using ransomware.
In many cases, the MOVEit software was not being used by the impacted organisations directly, but by outsourced data processors providing a range of data-handling services. Among those affected were trusted organisations and household names from around the world, which suddenly had to respond to a breach of software they did not themselves use. Nevertheless, these organisations needed to face up to the loss, and inform and support their customers through the recovery process.
Fraudsters seek path of least resistance
Cybercriminals are constantly looking for the path of least resistance in IT systems, to find the easiest way to get access to data. The MOVEit exploitation is an example of a zero-day attack, which is really the golden key for cybercriminals. A zero-day attack exploits a previously unknown, and therefore unpatched, vulnerability in a system or software. When the criminals attack, the target organisations have no way to close the vulnerability immediately because no patch exists. The gateway to hackers remains open until developers are able to produce a patch. These exploitations are so named because the organisations impacted have ‘zero days’ to patch the vulnerability and stop the data loss.
No room for complacency
The MOVEit exploitation happened at a time when businesses were questioning whether or not they should retain their cyber insurance policies, because premiums were going up, exclusions and exemptions were being introduced, and policy excesses were increasing.
The far-reaching implications and impacts of this breach are a stark reminder to businesses that even if your own IT systems are robustly protected, your data can still be at risk. The attack was not targeted at specific companies, but at the software used by thousands of organisations globally.
Crisis responders under pressure
The overwhelming scale of MOVEit put a huge strain on the available expertise and resources to help businesses recover – including legal teams, forensic IT specialists, crisis PR companies, data breach and crisis response providers. MOVEit highlighted the fact that crisis recovery resources are finite and, in the aftermath of a systemic attack, businesses may find those resources difficult to access.
It highlights the need for organisations to prepare for a possible ransomware or malware attack, whether directly on their own systems or on the systems of their suppliers.
Is your business ready to respond?
Preparing a response and recovery plan in advance gives your business the best chance of being able to deal with the consequences of a breach efficiently and effectively. Companies whose data is breached are likely to be fined by the regulator. If your business then fails to inform customers promptly and mount an effective recovery process, you could face further fines.
But the biggest impact of a data breach is the potential damage to your reputation, particularly if you are a consumer-facing brand. If you handle the data breach notification and recovery process swiftly and professionally with your customers, you stand a far better chance of protecting your hard-won reputation.
The first step to developing the right response and recovery plan for your organisation is to understand the implications of a data breach, and the actions you will need to take to inform and support customers. Understanding how to quantify the impacts, determine your responsibilities and identify the resources you will need to respond effectively will be the subject of my next blog post.
How can we help?
If you’re concerned about the impact of a data breach on your organisation, please visit our website or contact the Experian Crisis & Data Breach Response team on 0844 4815 888 or via email.
Further reading
Data controllers: protecting reputations in the event of a data breach
This blog focuses on data controllers. These are the custodians of the data belonging to their customers, service users, staff and other consumers.
Ransomware response for education providers and charities
Ransomware attacks have been sweeping the globe. Find out how to manage post-breach situations in the education and charity sectors.
Ransomware – Consumer response plans
How can data processors optimise resources and minimise costs? Fears about the threat posed by ransomware have proved well founded. Read more.
Why consumers need to be central to crisis response plans
The impacts of a cyber-attack, health emergency or data breach can be devastating for the business. But the greatest impacts are often felt by consumers.
Plan your crisis response plan before it happens
The costs of dealing with a crisis are significantly higher for businesses that have not planned their response in advance - that is why it is so important to plan in advance.
How well do you understand customers’ online security experience?
Take our interactive quiz to test your knowledge and find out exactly what consumers need to feel secure in their online journey.
Top five priorities when considering the use of machine learning in fraud prevention
Accessing advanced fraud-protection solutions based on Machine-Learning (ML) has never been as straightforward as it is today. Read more.
Transforming financial crime prevention
In this paper, we share our insights around enabling Financial Crime automation to help strategically monitor commercial portfolios.
What are Inaccurate Liabilities?
Inaccurate Liabilities fraud happens when companies overstate the value of their assets to borrow more, while understating the value of their existing liabilities with other lenders.
Detect, prevent and deter UK B2B Fraud and Money Laundering
In our webinar series, discover the key trends around how criminals are exploiting UK business to perpetrate fraud and financial crime.
[1] MOVEit, the biggest hack of the year, by the numbers, TechCrunch