As the year comes to a close, we take a look back at six data breaches that dominated the headlines and defined the state of cyber security in 2016.

It could be said that 2016 was the “Year of the Hacker.” From healthcare to politics to adult entertainment, no industry was spared the wrath of cyber criminals. Here, we reflect on six of this year’s most infamous data breaches.

1. The SWIFT Network Attacks

It was a plot that sounded like it came straight out of a Bond movie: A band of international bank robbers stole nearly $100 million from a bank in Bangladesh, spooking finance executives around the world and leaving them wondering where the thieves would strike next. But these robbers didn’t hand a note to a teller or dynamite their way into a vault; they breached the victimized banks’ networks and accessed their accounts on the SWIFT network, a proprietary messaging system that few people outside the finance industry have ever heard of. Once inside SWIFT, they were able to remotely send billions of dollars in fraudulent money transfer requests. Most of these were caught and flagged, but $81 million went through, and the hackers remain at large. These data breaches sent shockwaves through the finance world and threw into question the integrity of what was once thought to be one of the world’s safest networks.

2. The Yahoo Data Breach

The Yahoo data breach, which compromised 500 million user accounts, resulted in at least 23 lawsuits, and put the company’s planned acquisition by Verizon at risk, didn’t happen out of nowhere. It was the result of years of the company putting cyber security on the back burner in the name of not compromising “the user experience.” Other companies should look to Yahoo as an example of what can happen – in fact, what is bound to eventually happen – when information security is not taken seriously. While it’s true that end users of software products can be fickle and impatient, it is far better to risk annoying customers with product security measures than to leave their personal information open to data breaches.

3. The DNC Hack

Cyber security took center stage early on in this year’s contentious U.S. presidential election, and the Democratic National Committee became the poster child for embarrassing email data breaches. In June, WikiLeaks released a number of damaging emails stolen from the DNC’s email server. Among the “highlights” were what appeared to be messages written by high-ranking party officials plotting to smear candidate Bernie Sanders and planning to reward high-dollar DNC donors with federal appointments in an anticipated Hillary Clinton administration. As if that weren’t bad enough, some of the emails compromised these same donors’ private data, with one email attachment containing an un-redacted image of a six-figure check, complete with the donor’s routing and bank account numbers. The hack was so scandalous that the DNC’s chairperson, CEO, and communications director were forced to resign.

4. The FriendFinder Data Breaches

Apparently, last year’s Ashley Madison data breach didn’t teach companies that store sensitive information to be adults about data security. In October, news broke that six sites owned by FriendFinder Networks, Inc., owners of some of the world’s largest adult entertainment sites, had been hacked. Over 412 million user accounts were compromised, most of which came from a site called AdultFriendFinder, which bills itself as the “World’s Largest Sex and Swinger Community.” In addition to users’ email addresses and passwords – which had been stored as plain text or hashed and converted to all lower-case, making them far easier to compromise – hackers also got hold of the company’s source code and private/public key pairs. As of this writing, the FriendFinder hack is set to win the “award” for the largest data breach of 2016.

5. The Wendy’s POS Hack

Where’s the cyber security? Around the same time fast-food chain Wendy’s announced it would be switching from human clerks to automated ordering kiosks, the company was forced to admit that it had been victimized by a massive breach of its existing POS systems, which exposed customer credit card information captured at 1,000 of its locations in the U.S. Rather than taking responsibility for the data breaches, Wendy’s decided to pass the buck, insisting that “only” independently owned franchises, not company-owned locations, had been breached, and further claiming that the breaches were the fault of third-party POS service providers hired by its franchisees. This spin-doctoring didn’t dissuade dozens of credit unions from joining a class-action lawsuit against the chain, alleging that Wendy’s knew that its POS systems were not secure but did nothing to address the problems.

6. The Hollywood Presbyterian Medical Center Ransomware Attack

While it was not technically a data breach, we felt we would be remiss if we did not mention the infamous Hollywood Presbyterian ransomware attack, which happened early in the year and was a harbinger of things to come for the healthcare industry. Hackers managed to lock down the hospital’s entire network, including its electronic health records (EHR) system. Hollywood Presbyterian ended up forking over $17,000 in Bitcoin to get back in – an act which, unfortunately, emboldened hackers, who now knew they could easily extort big paydays from healthcare facilities. A spate of similar attacks hit medical facilities across the U.S., Canada, and even the U.K. As of this writing, Intel estimates that hospitals have paid various hackers nearly $1,000,000 in ransom this year.

Here’s hoping that 2017 is the year the “good guys” finally get the upper hand in the fight against data breaches, ransomware, and other cyber crimes.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

Online shopping is booming, but customers will shun e-commerce if they do not feel their data is secure.

Just as “Video Killed the Radio Star,” e-commerce is making shopping malls go the way of the horse and buggy. In 2016, consumers reported making 51% of their purchases online, up from 48% in 2015 and 47% in 2014. Meanwhile, real estate experts estimate that large brick-and-mortar department stores need to eliminate about 1/5 of their current footprint in malls just to return to the same levels of productivity they enjoyed a decade ago.

Consumers love the convenience and cost savings of ordering items online and having their purchases shipped to their door, but they will quickly sour on an e-commerce site if they feel their credit card information and personal data are not safe. Following are five tips for keeping your e-commerce store safe from hackers during the holiday season and throughout the year.

1. Make sure your e-commerce store is PCI DSS compliant.

While PCI DSS compliance alone does not equate to a comprehensive e-commerce cyber security, being compliant with PCI DSS is the first step – and it’s required by major card issuers. Additionally, some states have laws that refer to PCI DSS explicitly or contain equivalent mandated standards. If you are breached, and it turns out that your e-commerce store was not PCI DSS compliant, your store may be found in violation of your state’s laws regarding data privacy, and the credit card companies that mandate PCI DSS could impose fines on your organization amounting to tens or even hundreds of thousands of dollars. If you are unable to pay the fines, you will no longer be able to accept their cards. Plus, your customers’ data will have been breached, which could result in civil lawsuits and massive damage to your store’s reputation.

2. Make sure all of your hardware and software is up to date.

Antivirus and antimalware software should be updated regularly, and any manufacturer updates or patches to your operating system and other software used in your business should be downloaded and installed as soon as possible; they often include important security patches addressing newly discovered threats.

3. Make sure all of your employees, including temps, are trained in cyber security best practices.

The weakest link in any business’ cyber security plan is its people. The overwhelming majority of data breaches occur after hackers obtain legitimate login credentials, often through social engineering schemes such as phishing emails. Make sure all of your e-commerce store’s employees, including seasonal workers, are trained in cyber security best practices, such as how to spot phishing emails and why they should never send personal data through unsecured email, share their passwords or leave them out in the open, or log in to the network on an unsecured device or connection.

4. Create a culture of “if you see something, say something” regarding e-commerce cyber security.

Employees, especially seasonal workers, want to please their bosses, and this is something hackers take advantage of through schemes such as “spear phishing,” where hackers send what looks like a legitimate email from the business owner or a c-level executive to a low-level employee, requesting sensitive information such as system login credentials or e-commerce customer data. Employees should be instructed to report all suspicious emails or any other activity that just doesn’t seem right – even if they think “it’s probably nothing” – to a supervisor.

5. Place appropriate restrictions on employee’s system access.

E-commerce employees, especially temporary workers, should be given the minimum level of system access they need to perform their jobs, and no more. If at all possible, limit access to your most sensitive data – such as customer payment information and employee tax data – to full-time, year-round employees. The reasoning is that full-timers have a track record with your company, have far more experience with cyber security best practices than your temps, and probably underwent a more extensive background check as well.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

What will the state of cyber security look like under the Donald Trump administration?

The election is over, the votes have been counted, and thankfully, other than a few isolated reports of malfunctioning voting machines, Election Night was unremarkable from a cyber security perspective. Now, it’s time to turn our attention to President Elect Donald Trump and what a Trump Administration will mean for cyber security in the U.S.

Donald Trump’s Official Stance on Cyber Security

Cyber security is the only tech-related topic Trump addresses directly on his official website. At this point, his plan has four main points:

• Appoint a “Cyber Review Team” composed of “individuals from the military, law enforcement, and the private sector” to perform “an immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure” and “provide specific recommendations for safeguarding different entities with the best defense technologies tailored to the likely threats.” The Cyber Review Team will also be tasked with establishing protocols and setting up “mandatory cyber awareness training” for government employees.
• “Instruct the U.S. Department of Justice to create Joint Task Forces throughout the U.S. to coordinate Federal, State, and local law enforcement responses to cyber threats.”
• “Order the Secretary of Defense and Chairman of the Joint Chiefs of Staff to provide recommendations for enhancing U.S. Cyber Command, with a focus on both offense and defense in the cyber domain.”
• “Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.”

Much like HIPAA, Trump’s plan focuses on procedural generalities as opposed to technical specifics. However, this is to be expected of a presidential candidate who comes from a business background, not a tech background. The positive thing about the plan is its focus on taking proactive measures to prevent attacks, not just responding to them after they occur.

What to watch out for: Who Trump appoints to his Cyber Review Team. President Elect Trump should seek out experienced cyber security professionals with deep knowledge of the industry and the issues to hammer out the technical details of his plan.

The End of the H-1B Visa?

As a candidate, Trump famously took a hardline stance on immigration, including an initial pledge to eliminate the H-1B visa program that is heavily used by the tech industry. This has alarmed many tech employers, who claim that the H-1B is necessary because there is a shortage of qualified IT workers in the U.S., and that without being able to import talent from overseas, critical positions would go unfilled. This is an important issue in the cyber security field, which faces a severe skills shortage; there are approximately 200,000 unfilled cyber security jobs in the U.S., and demand is expected to increase by 53% by 2018.

However, it is important to note that Trump softened his stance on the H-1B at a Republican debate in March, claiming, “I’m changing. I’m changing. We need highly skilled people in this country.” Additionally, since his election, he has backed off from his initial zero-tolerance immigration stance overall.

What to watch out for: Whether Trump will abolish the H-1B is debatable. As a businessman, he used it to hire foreign workers, and his wife, soon-to-be-First-Lady Melania Trump, came to America on an H-1B. However, it is likely that Trump will make some changes to the H-1B program, and it is up to cyber security companies to ensure that our voices are heard as he makes decisions on this issue.

Cyber Security as Part of National Security

Throughout his campaign, Donald Trump referred to cyber security in the context of national security. At a debate against Hillary Clinton in September, he spoke of the gravity of the threat of foreign cyber terrorism against the U.S.:

…when you look at what ISIS is doing with the Internet, they’re beating us at our own game. ISIS.

So we have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem. I have a son. He’s 10 years old. He has computers. He is so good with these computers, it’s unbelievable. The security aspect of cyber is very, very tough. And maybe it’s hardly doable.

But I will say, we are not doing the job we should be doing. But that’s true throughout our whole governmental society. We have so many things that we have to do better, Lester, and certainly cyber is one of them.

What to watch out for: It is possible that a Trump Administration will increase spending on cyber security at the federal level and impose more stringent requirements on state and local governments. Since the number and severity of data breaches and ransomware attacks are intensifying, these would be welcome changes.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services and Continuum GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.