BACKGROUND:
It has been reported that Canada Post has informed 44 of its large business customers that information relating to more than 950,000 customers was compromised after one of its suppliers fell victim to a malware attack late last week. Yesterday, the postal agency announced that Commport Communications, an electronic data interchange solution supplier, had notified them that manifest data held in their systems, which are associated with Canada Post customers, had been “compromised” in an attack on May 19. Commport Communications is used by Canada Post to manage the shipping manifest data of large parcel business customers.
<p>Cyber criminals work to achieve two things — money and data they can sell for money. Data breaches where they can steal names, email addresses and phone numbers are a good source of revenue and can be added to more extensive, accumulated data from other breaches. It is cross-referenced to create and verify a digital profile of individuals. This action helps increase the confidence of the data for the cyber criminal to create targeted or spear phishing emails to lure the victim into clicking a link and gaining access to their system. The cyber criminals will leverage that connection of trust to the victim\’s friends and families to click a link or open an attachment that appears to come from them and continue the vicious cycle of having people fall victim to various social engineering attacks.</p>
<p>Luckily, the information exposed wasn\’t particularly sensitive, other than the 3% of records that exposed the customer\’s email and phone number. Unfortunately, those poor souls will be exposed to the possibility of phishing schemes, including text messages, emails, and phone calls. While the CTV News report did not mention anything about how the breach was pulled off, it underscores the need for systems to be kept updated, while also educating employees and executives about how data breaches are performed.</p>
<p>Although the breach was quite large, the information contained in the leaked manifest is not particularly sensitive, save for the three percent of customers whose contact information was leaked. The orders in the manifest would have all been delivered by now, so there\’s little risk to current shipments. Names and addresses are essentially public information, anyway. Unless an attacker sought information about a specific shipment from over a year ago, which I consider unlikely, then the attack won\’t result in substantial harm. Those whose contact information was leaked could be at risk of phishing. I think the bigger concern is how this attack occurred. What vulnerability allowed Commport to be hacked? And has that vulnerability been exploited before? These are the questions that I hope the forthcoming investigation will answer.</p>
<p>The sheer number of companies breached is massive, and it will likely take months to know the full scale of potential damage, but this isn\’t the time for anyone to panic as a practical and measured response is advised. The Solar Winds supply chain breach was a teaching moment and an opportunity for companies to invest time in improving their security posture and hygiene. This breach could very well provide the same. My advice for companies potentially impacted is to isolate any machines that they think are compromised from others in the network. Reimaging impacted machines will be necessary and resetting credentials across all networks is wise and practical.</p> <p> </p> <p>In addition, companies should look through all data logs, check the hygiene of systems and make sure everyone is on high alert for future attacks. And in general, make sure your company is always on the hunt for adversaries, as it takes a 24×7 approach. The sooner you do these things, you can immediately reduce the likelihood that attackers are lurking in your network in silent mode.</p> <p> </p> <p>Overall, from a defender\’s standpoint, we\’ll never turn the tables on cybercrime and uncover malicious operations by chasing alerts. We need to arm security analysts with tools to quickly identify and respond to malicious operations with surgical precision. We need to detect earlier and remediate faster, think, adapt and act more swiftly than attackers can adjust their tactics, and have the confidence as defenders that we can always identify, intercept and eliminate emerging threats in a matter of minutes rather than days or weeks. Operation-centric security returns the high ground to the defenders by extending detection and response capabilities across the endpoint, the enterprise, to the entire network. This makes the task of understanding the full attack story behind any incident significantly easier to ensure their security programs are future-ready.</p>