In light of the news that both American Airlines and Revolut have suffered data breaches from social engineering, the Industry leader commented below on the danger of social media.
In light of the news that both American Airlines and Revolut have suffered data breaches from social engineering, the Industry leader commented below on the danger of social media.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Email accounts are still a favorite target of cybercriminals, and this is just another example of email phishing allowing them to take over some accounts. While the number of individuals impacted by this may be limited, organizations such as airlines collect and hold relatively sensitive information that could have a significant impact on those victims.
It’s normal and expected for airlines to collect passport information, driver’s license information and a lot of personal details which would give cybercriminals all the information they need to steal a victim’s identity. While the airline states no misuse of the data has occurred so far that they are aware of, it has been a relatively short amount of time and it’s not always known whether that data has been misused or not, so that’s not very comforting for potential victims.Because email phishing is so prevalent as an initial network access attack, organizations need to take strong defensive measures with respect to email communications. This means educating employees on how to spot and report phishing attacks, using simulated attacks to allow them to practice their skills, ensuring they understand the importance of good password hygiene, and limiting the amount and types of information employees can access to do their jobs.
Phishing remains an unsolved cybersecurity problem for businesses and individuals. This is another example of cybercriminals using successful credential harvesting campaigns to launch subsequent and more damaging attacks. Whilst both companies, quite rightly, took consequent action to announce the breach and mitigate the fallout, the damage has already been done. Personal identifiable information of customers including names, payment data and email addresses has already been leaked. Consequently, every single victim now faces follow-up phishing scams which abuse their exposed PII in the pursuit of more valuable credentials.
On the business side of things, attacks like this only serve to reinforce the understanding that prevention-based email security approaches and traditional user security training have failed. Organisations need additional layers of technology and processes to continually hunt for targeted email attacks like spear phishing and business email compromise to quickly and automatically eliminate the threats once identified. Security training must evolve so it can be applied in real-time and to real-attacks.