In response to the news that Butlins has confirmed that the records of up to 34,000 guests have been accessed by hackers, IT security experts commented below.
Rob Shapland, Principle Cyber Security Engineer at Falanx:
Jake Moore, Security Specialist at ESET:
Be alert to possible phishing emails from Butlins over the coming weeks. Due to the type of data compromised in a breach such as this, you may be susceptible to a larger number of phishing emails where fraudsters want to capitalise on it. These scams are increasingly sophisticated and difficult to spot as they rarely use a Nigerian Prince anymore. Therefore, as a rule of thumb, do not click on any links or download any documents that you are not expecting. Try and verify if and where you can on the origin or an email before acting upon any requests.”
Dr. Jamie Graves, CEO & Founder at ZoneFox:
As such, this shows again the importance of staff being ever-vigilant for inbox imposters. All of the expensive technology in the world can’t defend against someone being convinced that they are talking to a colleague or boss, rather than a cybercriminal. What that technology can do, though, is determine what exactly has happened to the data; what has been taken, where it has gone and how exactly this was carried out.
However, Butlin’s must be given credit for going public with a measured statement within 72 hours of the attack happening – especially with the GDPR time-frames in play for breaches which may include personally identifiable information – and for putting a team on the case to reach out to the individuals affected.”
Trevor Reschke, Head of Threat Intelligence at Trusted Knight:
“The real risk for those caught up in the Butlin’s breach is that the personal information that has potentially been leaked will be used to access other accounts, or for fraudulent purposes. Hackers accumulate and sell large databases of personal data in bulk exactly for this reason. Those who are affected should be extremely cautious of any unwarranted communications they receive and not just trust the source because they know their address of phone number. As always, they should also keep a close eye on their bank accounts to make sure no one has impersonated them.”
Rashmi Knowles, Field CTO EMEA at RSA Security:
“Instead of traditional computer-based training, organisations should be pushing for concentrated campaigns from in-house marketing teams; a strong example set by the rest of the C-Suite downwards; and interactive training methods such as learning via gaming software. The latter can be particularly good for repeat offenders, as they are given an opportunity to engage with IT teams and learn from experience. By taking a business-driven security approach, where all stakeholders are engaged in the conversation, threats can be tackled in a way that safeguards what’s most important – whether that’s intellectual property, a business-critical asset or customer data.”
Stats from Verizon’s DBIR:
The 2018 Verizon Data Breach Investigation Report report found that phishing was the third most used attack method – with it being used in 1,192 incidents and 236 confirmed data breaches.
In addition, Verizon’s report also found:
- 20% people still click on at least one phishing campaign during a year
- Social attacks leading to breaches (which includes phishing attacks) were only used in 15% of successful breaches within the entertainment industry
- Only 17% of phishing campaigns were reported. And almost no campaigns are reported by the majority of the people phished
Laurance Dine, Managing Principal, Investigative Response at Verizon Enterprise Solutions:
“DEFCON “Meh”: Reduce the impact of a compromised user device by segmenting clients from critical assets, and using strong authentication (i.e., more than a keylogger is needed to compromise) to access other security zones within your network. If you use email in the cloud, require a second factor.
“Talking about practice: Train the responders along with the end-user base. Test your ability to detect a campaign, identify potential infected hosts, determine device activity post-compromise, and confirm existence of data exfiltration. Practice, practice, practice to react quickly and efficiently to limit the impact of a successful phish.
“Role-playing games: Provide role-specific training to users that are targeted based on their privileges or access to data. Educate employees with access to employee data such as W-2s or the ability to transfer funds that they are likely targets. Increase their level of scepticism—it isn’t paranoia if someone really is out to get them.”
For reference, the DBIR draws its findings from an analysis of real-world data breaches investigated by Verizon and an extensive range of third-party contributors; including the likes of the U.S. Secret Service, UK legal services firm Mishcon de Reya, UK insurer Chubb and the Irish Reporting and Information Security Service (IRISS CERT) amongst others.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.