It’s the time of the year when we at OSIbeyond look back at the largest data breaches that have occurred since January to extract valuable lessons for small and medium-sized businesses from them.
Even though a lot has been said and written about the potential spillover effect of the Russia/Ukraine cyberwar, the main causes of data breaches in 2022 have nothing to do with it.
In fact, they’re alarmingly similar to last year’s top data breach causes, which goes to show that those who fail to learn from the mistakes of others will inevitably suffer the same consequences.
Download
DoD Contractor’s Guide to CMMC 2.0 Compliance
Lesson #1: Not All MFA Implementations Are Created Equal
The implementation of multi-factor authentication (MFA) is the single most effective defense against account compromise attacks, with Microsoft claiming that it can reduce their success rate by up to 99.9 percent.
But just like two padlocks can provide completely different levels of protection, the gap between two MFA implementations can be huge, with some implementations providing nothing but a false sense of security.
In January 2022, almost 500 users of Crypto.com, a cryptocurrency exchange company based in Singapore, found out that not all MFA implementations are created equal when hackers made off with more than $30 million worth of cryptocurrency after bypassing the exchange’s MFA system.
Since then, Crypto.com has audited its systems and fixed the original vulnerability in its MFA system, but who knows how many other companies rely on weak MFA that slows down legitimate users but doesn’t stop attackers.
Lesson #2: Cloud Services Are Not Always Secure
Another major data breach that took place in January 2022 affected the International Committee of the Red Cross (ICRC), and it compromised the data of more than 515,000 highly vulnerable people.
This breach was caused by a known but unpatched critical vulnerability (CVE-2021-40539) in a single sign-on tool developed by Zoho, an Indian multinational technology company that makes cloud-based business tools.
The vulnerability allowed the attackers to compromise administrator credentials, move throughout the network, and ultimately breach personal data such as names, locations, and contact information.
The Red Cross data breach is a great example of the cybersecurity risks associated with cloud services and the importance of partnering only with providers that promptly patch all known vulnerabilities and take other steps to ensure their customers’ safety.
Lesson #3: Social Engineering Attacks Are Becoming More Sophisticated
Social engineering attacks like phishing or smishing have been a leading cause of data breaches for years. One reason why they remain so effective is that the tactics used by cybercriminals are becoming more sophisticated.
In March 2022, Microsoft revealed that hackers belonging to a group called Lapsus$ obtained limited access to its systems after an employee account was compromised.
To successfully breach Microsoft and several other high-profile targets, the attackers used the following tactics:
- Phone-based social engineering
- SIM-swapping to facilitate account takeover
- Accessing personal email accounts of employees at target organizations
- Paying employees, suppliers, or business partners of target organizations for access to credentials and MFA approval
- Intruding in the ongoing crisis-communication calls of their targets
While it’s unlikely for SMBs to face social engineering attacks of the same sophistication as Microsoft, each of the above-described tactics can certainly be used to break the weakest link in the cybersecurity chain: people.
Lesson #4: Simple Misconfiguration Can Have Far-Reaching Consequences
Some of the largest data breaches in 2022 happened as a result of misconfiguration. In January, online appointment company FlexBooker released a statement, claiming that personal files belonging to 3.7 million of its users had been stolen from its AWS account.
The cause of the breach was an AWS configuration vulnerability, which left an AWS S3 bucket insufficiently protected, exposing its content to anyone with a web browser.
A similarly unfortunate incident also happened in October to Microsoft after a misconfigured endpoint became publicly accessible over the internet.
“This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers,” explained Microsoft.
These two incidents highlight how complicated has the information technology landscape become, with even large companies struggling to avoid basic configuration mistakes.
SMBs with limited IT experience and expertise shouldn’t take any chances. Instead, they should find a capable IT partner that can empower them with the tools they need without creating any holes for cybercriminals to creep through.
Conclusion on 2022 Lessons
SMBs can learn a lot from some of the largest data breaches of 2022. These incidents serve as cautionary tales and highlight the importance of investing in robust cybersecurity measures to protect sensitive data.
This year’s lessons revolve around the dangers of having a false sense of security, the risks associated with cloud services, the increasing sophistication of social engineering attacks, and the consequences of misconfiguration.
OSIbeyond is here to help you avoid making the same mistakes as others have made by providing expert guidance and support to ensure that your business is protected from potential data breaches. Contact us to enjoy a data breach-free 2023.