BACKGROUND:
Cybersecurity experts commented below on news that stock trading platform Robinhood has disclosed a data breach after their systems were hacked exposing personal information of approximately 7 million customers.
BACKGROUND:
Cybersecurity experts commented below on news that stock trading platform Robinhood has disclosed a data breach after their systems were hacked exposing personal information of approximately 7 million customers.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>Today, financial services companies are a prime target of cybercriminals “because that\’s where the money is” to quote famous bank robber Willie Sutton. With Robinhood reporting a data breach involving more than 7 million customers, it is a stark reminder that no company is immune to the risks posed by motivated hackers.</p>
<p>It appears a limited amount of personal information was compromised. And while the hackers have stolen email addresses and/or full names of 7 million people, a smaller group of less than 500 customers had personal information stolen. Minimally impacted consumer info can still be leveraged for secondary phishing attacks to gain access to accounts, making it critically important for their customers to be vigilant while regularly checking their accounts for any signs of fraud.</p>
<p>The breach appears to be the result of social engineering of a single customer support employee and a reminder that humans are oftentimes the weakest link in the ecosystem. To reduce risks, companies should have multiple layers of controls in place with restrictions on who can access mission critical data. This can be challenging for financial services companies with employees working remotely from home and customer data and systems becoming more distributed across on-premises, cloud and SaaS infrastructures.</p>
<p>The stock trading platform Robinhood very directly addressed the ongoing problem of social engineering tactics. Social engineering is the use of trickery, misdirection, and other methods of subterfuge to fool a person into giving up sensitive information to a threat actor. Each one of us has been exposed (probably very recently) to social engineering tricks, whether through email appeals to click a link or launch an attachment or other forms of deceptive communication. Robinhood’s own organization succumbed to this “low-tech” approach to circumventing data protection methods. All it takes is one moment of inattention or gullibility, and the threat actor carrying out social engineering techniques is one step closer to the ultimate goal. </p>
<p>The question Robinhood’s situation raises is, why are social engineering techniques still successful given the amount of information we all have on them? Most organizations spend ample time and funds trying to educate employees on all these techniques, but quite frankly training doesn’t address the root problem. Most employees work in a hyper-accelerated data environment in which demands for information are coming from all directions. To delay providing or sharing information can halt progress and potentially frustrate the requestor. We have all gotten used to working faster and pushing information out as fast as we can, but this is exactly the vulnerability that social engineering preys upon. Not taking the time to inspect emails, to think through a situation without haste or pressure, or to confirm a request to ensure the legitimacy of the requestor is the fatal flaw. </p>
<p>Organizations can do two things. One, build an organizational culture that values data privacy and encourages employees to slow down and consider all of the ramifications before acting on requests for sensitive information. If business leaders can get behind initiatives that help employees take the time to do the right thing, then the culture of data privacy and data security will be that much stronger. Two, IT leaders can consider data-centric security as a means to protect sensitive data rather than the perimeters around data. Tokenization for example not only makes sensitive data elements incomprehensible, but it also preserves data format so business applications and users can still work with the data in protected states. If you never de-protect data, chances are that even if it falls into the wrong hands, the sensitive information cannot be compromised.</p>
<p>The latest cyberattack on Robinhood is a stark reminder of the critical need for organisations to adopt a layered security strategy that includes the increasingly critical aspect of defending against human error. The fact malicious actors were able to access Robinhood’s systems after tricking a support desk worker on the phone proves the importance of implementing ongoing cybersecurity training and awareness. Teaching employees how to recognise phishing attempts and detect malicious activity will ultimately enable them to access the security resources needed to stop cybercriminals in their tracks, and carry out their own jobs safely and effectively. </p>
<p>More than ever before, we are operating in a cyber landscape where implementing a comprehensive security strategy is no longer an opt-in or opt-out option. This latest data breach is a stark reminder of the critical importance of user awareness and education amongst organisations. By improving this, businesses can make employees their first line of defence when it comes to cybersecurity, and further protect their organisation and customers from such attacks in the future.</p>
<p>While most of the data extracted for the majority involved isn’t extremely sensitive or confidential, it can still be used by bad actors for social engineering or password spraying/credential stuffing attacks. Unfortunately, many individuals still make the mistake of using or re-using breached passwords, making their accounts extremely easy to access for cybercriminals. As such, it is vital that users understand to not share anything related to their passwords on their socials, or to use multi-factor authentication systems to protect their vital information.</p>
<p>This incident highlights two important points: educating employees about possible cybersecurity threats especially social engineering threats and limiting access to customer information to the bare minimum for employees based upon their job role.</p>
<p>Cybersecurity education needs to occur more than once a year in the form of self-paced online training. It needs to be spread throughout the year – run drills, send out fake phishing emails, have someone place USB drives out, use these types of tactics to teach employees what they might be up against, what they should be on the watch for and how to handle different scenarios. Most people learn best through hands-on learning.</p>
<p>As a second form of defence, employees should be limited in what they have access to. Least Privilege Access principles should be applied everywhere, especially when it comes to customer data. This way if an attacker is able to get past the employee and trick them, what they will have access to will be limited.</p>