One of the ways we understand the risks to information security is by looking to the recent past. Examining the cyber-attacks that have already happened, including the types of information targeted and how the unauthorized users tried (or did) gain access to that information can illuminate the cyber risks that may exist within your organization. Below are some lessons we can glean from specific incidents that caused disruption this year.
Lessons Learned from the American Medical Collection Agency Breach
It can’t be said enough: Third-party providers’ risks are your risks. In March, a medical debt collector announced it had been the victim of an unauthorized intrusion that had spanned nearly six months. The American Medical Collection Agency breach affected the patients of the national health care organizations that used the agency for bill collection. Combined, almost 20 million patients from LabCorp and Quest Diagnostics had their information compromised, including their names, dates of birth, and data on the services for which the patients’ had incurred medical expenses.
The size of the breach and the associated costs with fixing it resulted in the company operating the American Medical Collection Agency to file for Chapter 11 bankruptcy.
Your Key Takeaway: Consider Third Party Controls
Your organization should continue to have conversations with third party service providers about their information security protocols and procedures. If you are working with an organization that handles significant volumes of sensitive information—like employee or client records—your organization may want to consider requesting a System and Organization Controls report. Failures in system and organization controls can be catastrophic for all parties involved. Individuals whose personally identifiable information gets caught up in an information security incident will not be as concerned about where the failure in controls happened as much as they will be concerned about why it happened.
Lessons Learned from Baltimore’s Ransomware Attack
Health care and financial services may be among the most common industries hit by cybersecurity attacks, but trends continue to demonstrate that no type of entity is safe from information security risks. The city of Baltimore experienced a ransomware attack in May. Outside attackers used a vulnerability in the city’s computer operating systems and effectively took all servers, with the exception of essential services offline. Employees were locked out of emails and other applications. Hackers asked for 13 bitcoin (roughly $76,280) in exchange for the keys to restore access to the affected servers, which the city of Baltimore refused to pay. Systems were down for almost two weeks. City officials estimate an $18.2 million recovery cost from the so-called RobbinHood ransomware attack, which includes revenues that were lost during the lock-out and the city’s investments in system upgrades to help prevent future information security incidents.
Your Key Takeaway: Cybersecurity Takes an Investment
Getting your information security systems shored up will likely take a significant investment. The city of Baltimore reallocated $6 million to pay for critical information technology infrastructure, and is also looking to add cyber liability insurance coverage. Your organization should not wait for an attack to test your information security controls, because that could be much more costly, as Baltimore has discovered. Evaluating what additional protections or upgrades may be available for your organization and creating a plan for implementing those updates can mitigate risks and make information security a more manageable investment.
Lessons Learned from Capitol One Data Breach
In July, Capitol One learned that an unauthorized user had gained access into Social Security numbers, bank account numbers and credit card application data. The financial services company notified the FBI about the incident. Investigators quickly identified the perpetrator as a former software engineer who had worked for Capital One’s cloud hosting company and was able to gain access through a misconfiguration of a firewall on a web application. Law enforcement stopped the perpetrator. Capital One said in a statement, “Based on our analysis to date we believe it is unlikely that the information was used for fraud or disseminated by this individual.”
In its notification about the breach, Capital One estimated that around 100 million individuals were affected in the U.S., and 6 million in Canada, but said no credit card account numbers or log-in credentials were compromised. It estimated less than 1% of its customers’ Social Security numbers had been captured.
Your Key Takeaway: Cybersecurity Policies Are Effective
Your organization should ensure it has a clearly defined process for notifying law enforcement of a cyber incident. Capital One’s breach detection and notification processes appeared to work as designed. Its protocol helped make what could have been a devastating breach—the perpetrator had accessed credit card applications dating back to 2005—much less severe.
Organizations should also review breach notification laws to ensure they have a comprehensive plan of action. In Capital One’s case, for example, the company had to account for the fact that some of the parties affected were Canadian citizens.
For More Help with Cybersecurity
If you don’t know where your information and cybersecurity strategy stands compared to where it should be, you may want to enlist the help of an information security specialist.
Contact a member of our team for more information about how to enhance your cyber risk controls or take our cyber risk assessment survey for a quick evaluation of your cyber risk approach.
Published on October 09, 2019
© Copyright CBIZ, Inc. and MHM. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ). MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting, tax and financial services provider. CBIZ and MHM are members of Kreston International Limited, a global network of independent accounting firms. This publication is protected by U.S. and international copyright laws and treaties. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.