Establishing Digital Trust: Don't Sacrifice Security for Convenience
Dow Jones & Company recently began notifying an undisclosed number of people that their contact information may have been exposed as a result of unauthorized access to its systems between August 2012 and July 2015, the Wall Street Journal reports.
The company was alerted to the breach by law enforcement, and hired "a top cybersecurity firm" to conduct an investigation.
"To date, our extensive review has not uncovered any direct evidence that information was stolen, and we have taken steps to stop the unauthorized access," Dow Jones CEO William Lewis wrote in a notification letter [PDF] to those affected. "We devote substantial resources to cyber security and we want to assure you that we are taking additional steps to further fortify our systems."
"We understand that this incident was likely part of a broader campaign involving a number of other victim companies," Lewis added. "It appears that the focus was to obtain contact information such as names, addresses, email addresses and phone numbers of current and former subscribers in order to send fraudulent solicitations."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
In fewer than 3,500 cases, customers' payment card may also have been accessed. "We are sending those individuals a letter in the mail with more information about the support we are offering," Lewis wrote. "If you do not receive such a letter, we have no indication that your financial information was involved."
Nir Polak, CEO and co-founder of Exabeam, told eSecurity Planet by email that there are clear ties between the Dow Jones breach and the recently disclosed breach at Scottrade, with similar data potentially accessed. "Recent attacks have moved from the network to the account, and unfortunately, many people's account credentials are used across multiple services," he said. "We may see more hackers stealing credentials and customer data from multiple organizations to piece together phishing schemes or gain access to the PII they want."
"With many of these breaches, the investigation and clean-up can take months to piece together a full picture of what happened," Polak added. "Organizations must reevaluate their security processes in order to speed up the time to detection."
And Tripwire senior security analyst Ken Westin said by email that an increase in identity fraud is now fueling a surge in data breaches. "The rise of underground markets where hackers and fraudsters engage in commerce with one another has created a black market economy that generates demand for our personal information," he said. "The power of the Internet continues to strengthen the links between these two types of crimes, allowing both to become more lucrative."
"Our personal information is harvested by attackers from any business that collects and stores it," Westin added. "The initial breach is just the beginning of a long con which can play out over months or years with the goal of robbing individuals of large sums of money. All financial services businesses are hot targets for cybercrime and fraud because their customers are more likely to be more wealthy, and therefore be more lucrative targets."
The Ponemon Institute's 2015 Cost of Cyber Crime Study recently found that the average annualized cost of cybercrime incurred by U.S. organizations is now $15 million, an 82 percent increase since the launch of the study six years ago.