Online auction site eBay has become the latest victim on a growing list of corporations that have had customer data exposed in a major data breach. According to reports, hackers were able to access personal information for more than 145 million customers. While the company does not believe that financial information was exposed, there is concern that the hackers could use the stolen information to steal identities and launch more phishing attacks.
What makes the eBay data breach unique, though, is that investigators were able to link the breach to stolen employee login credentials. EBay’s internal security team noticed unusual employee activity on its corporate network, and upon further investigation, determined that certain employee login information had been inappropriately accessed, and the hackers were using those credentials to log in to the network and steal information — essentially, right in plain sight.
The fact that the breach was caused by employee login information serves as notice to businesses of all sizes that protecting employee login credentials should be a priority, and that employees still need education about how to avoid inadvertently causing a serious security breach.
How Login Credentials Are Stolen
Cybercriminals can access login credentials in several ways:
Phishing. While most people are better able to spot phishing or spoof emails than ever before, cybercriminals have also become more sophisticated. Spearphishing attacks, in which a particular individual or company is targeted using publicly available information, is a growing problem. It is possible that an employee could open or respond to a spearphishing email, believing it to be from a co-worker or vendor, and launch malware that will capture keystrokes — giving the criminal access to the network.
Stolen devices. Many employees use their personal mobile devices to log in to corporate networks. If their personal devices or lost or stolen, a criminal could easily log in to corporate networks. In addition, when employees use their devices on unsecure networks, such as public Wi-Fi, it’s possible for hackers to spy on the sessions and steal usernames and passwords.
Poor password management. Despite warnings, many people use the same passwords for several accounts, use easy-to-guess passwords or even leave them in plain sight. Companies that do not have strong password management policies that outline password strength requirements and mandate regular password changes are at risk.
What makes the eBay data breach unique, though, is that investigators were able to link the breach to stolen employee login credentials. EBay’s internal security team noticed unusual employee activity on its corporate network, and upon further investigation, determined that certain employee login information had been inappropriately accessed, and the hackers were using those credentials to log in to the network and steal information — essentially, right in plain sight.
The fact that the breach was caused by employee login information serves as notice to businesses of all sizes that protecting employee login credentials should be a priority, and that employees still need education about how to avoid inadvertently causing a serious security breach.
How Login Credentials Are Stolen
Cybercriminals can access login credentials in several ways:
Phishing. While most people are better able to spot phishing or spoof emails than ever before, cybercriminals have also become more sophisticated. Spearphishing attacks, in which a particular individual or company is targeted using publicly available information, is a growing problem. It is possible that an employee could open or respond to a spearphishing email, believing it to be from a co-worker or vendor, and launch malware that will capture keystrokes — giving the criminal access to the network.
Stolen devices. Many employees use their personal mobile devices to log in to corporate networks. If their personal devices or lost or stolen, a criminal could easily log in to corporate networks. In addition, when employees use their devices on unsecure networks, such as public Wi-Fi, it’s possible for hackers to spy on the sessions and steal usernames and passwords.
Poor password management. Despite warnings, many people use the same passwords for several accounts, use easy-to-guess passwords or even leave them in plain sight. Companies that do not have strong password management policies that outline password strength requirements and mandate regular password changes are at risk.
Education and Policies Are Important
While many experts point out that data breaches are inevitable, it’s still important to take every possible precaution to avoid them, especially when it comes to managing the human factor, i.e., employees who may not realize the full extent of the risk. This should include:
·Ongoing employee education. Be sure to define the risks, announce new threats and clarify policies.
·Regular “phishing tests.” Phishing tests help employees identify suspicious communications and act appropriately.
·Two factor authentication. Some experts note that if eBay employed a two-factor authentication solution, the breach could have been avoided, as the hackers would need more than just employee passwords to access the system. In fact, recent breaches such as the Heartbleed bug have renewed interest in 2FA, as it represents a high level of protection than just passwords.
·A BYOD management program. If employees will be accessing sensitive networks using mobile devices, you must have a plan to protect devices from malware, as well as a means to remotely lock or wipe lost and stolen devices.
·A password management policy.
While again, some security experts note that data breaches are inevitable, that doesn’t mean businesses should leave the front door wide open to hackers. Taking steps to prevent your employees from making innocent mistakes that will expose data, though, will make it much harder for criminals to steal your valuable information.
While many experts point out that data breaches are inevitable, it’s still important to take every possible precaution to avoid them, especially when it comes to managing the human factor, i.e., employees who may not realize the full extent of the risk. This should include:
·Ongoing employee education. Be sure to define the risks, announce new threats and clarify policies.
·Regular “phishing tests.” Phishing tests help employees identify suspicious communications and act appropriately.
·Two factor authentication. Some experts note that if eBay employed a two-factor authentication solution, the breach could have been avoided, as the hackers would need more than just employee passwords to access the system. In fact, recent breaches such as the Heartbleed bug have renewed interest in 2FA, as it represents a high level of protection than just passwords.
·A BYOD management program. If employees will be accessing sensitive networks using mobile devices, you must have a plan to protect devices from malware, as well as a means to remotely lock or wipe lost and stolen devices.
·A password management policy.
While again, some security experts note that data breaches are inevitable, that doesn’t mean businesses should leave the front door wide open to hackers. Taking steps to prevent your employees from making innocent mistakes that will expose data, though, will make it much harder for criminals to steal your valuable information.