Data Breaches at Cox, Mansueto Expose Employees' Personal Info
Thousands of employees' personal information was accessed, according to news reports.
Recent breaches at Cox Communications and Mansueto Ventures have exposed thousands of employees' personal data.
Motherboard yesterday reported that approximately 40,000 Cox Communications employees' names, email addresses, phone numbers and other data were recently offered for sale on the dark Web.
The hacker selling the data didn't tell Motherboard how he or she accessed the data, but did indicate that other information may also have been stolen.
"Cox Communications is aware of this matter and the business-related information to which it relates," Cox spokesman Todd Smith told Motherboard. "We're taking this very seriously and have engaged a third-party forensic team to conduct a comprehensive investigation and are actively working with law enforcement. Cox's commitment to privacy and data security is a top priority for the company."
IDT911 chairman and founder Adam Levin told eSecurity Planet by email that the breach indicates Cox has more work to do on privacy and security. "If you are an impacted employee, and it appears that any of your credit or financial accounts have been tampered with, close the accounts immediately to prevent thieves from accessing any more information," he said. "Do not click on any links in emails you receive or provide any personal information to someone who contacts you either online or by phone because it could be a phishing, spearphishing or vishing attack."
And the New York Post today reported that hackers have stolen employee wage information and Social Security numbers from Mansueto Ventures, which publishes the magazines Fast Company and Inc. One employee told the Post that the hackers have already used the stolen data to file fraudulent tax returns.
FinalCode COO Scott Gordon told eSecurity Planet by email that it's hard to understand why a company wouldn't encrypt this kind of data. "When you consider how common cyberthreats are, it’s careless for any company to not encrypt Social Security numbers, financials, health insurance information and other sensitive employee or customer data that is subject to regulations," he said. "To address these evolving conditions, companies need to secure and control the data over its entire lifecycle."
A recent Palo Alto Networks survey of 304 participants with hacking skills in the U.S., U.K. and Germany found that 73 percent of respondent said attackers look for easy, "cheap" targets, and 72 percent of survey respondents said they won't waste time on an attack that won't quickly yield high-value information.
The survey, conducted by the Ponemon Institute, also found that the average attacker earns less than $30,000 a year from their hacking activities, and 69 percent of respondents said hackers will quit their attack when the targeted organization presents a strong defense.
Ponemon Institute chairman and founder Dr. Larry Ponemon said in a statement that the survey clearly illustrates the importance of threat prevention. "By adopting next-generation security technologies and a breach prevention philosophy, organizations can lower the return on investment an adversary can expect from a cyberattack by such a degree that they abandon the attack before it’s completed," he said.
Separately, a survey of 500 CIOs at large enterprises, conducted by Vanson Bourne on behalf of Venafi, has found that fully 90 percent of respondents say they're wasting millions on inadequate cyber security solutions.
Eighty-six percent of respondents said they expect stolen encryption keys and digital certificates to be the next big market for hackers, and 95 percent said they're worried about how they will securely manage and protect all encryption keys and certificates. Ninety percent either have suffered or expect to suffer from an attack in which encrypted traffic is used to hide the attack.
"With a compromised, stolen, or forged key and certificate, attackers can impersonate, surveil, and monitor their targets’ websites, infrastructure, clouds, and mobile devices, and decrypt communications thought to be private," Venafi vice president of threat intelligence and security strategy Kevin Bocek said in a statement. "Increasingly, the systems we’ve put in place to verify and establish online trust are being turned against us."
A recent eSecurity Planet article examined the top 10 encryption tools you should know.
Photo courtesy of Shutterstock.