According to the Commonwealth of Massachusetts Data Breach Notification report from the summer of 2019, cybercriminals are intentionally targeting the financial services industry at a rate of 52.2%. Executives in the financial services industry should be extra careful in order to ensure their data is protected as well as understanding the various methods of cybersecurity attacks: via social engineering, DDoS, phishing, and malware campaigns.
The risk of exposing Massachusetts citizens’ personal data is at a crucial tipping point: this summer all cyberattacks involved social security numbers being compromised 41% of the time. In total, over 278,641 Massachusetts residents’ personal information was compromised since June. The largest single breach involved Quest Diagnostics Inc.: where 123,978 Massachusetts residents’ social security numbers, account numbers, license numbers, and card numbers were intercepted.
Beginning a cybersecurity assessment is the first step towards investing in the future of your business. Protecting sensitive data, being educated and updated on the most current cyberattack methods, and evaluating your current protection is essential towards a secure future. For more detail into the latest data breach report for Massachusetts, please continue reading.
Profile of Targeted Organizations
Based on the latest Massachusetts 2019 Breach Report, there is a diverse range of industries at risk. All together healthcare, education, professional, manufacturing, finance, and “other” Massachusetts businesses were breached. However, the riskiest industries were financial and professional industries.
Per the 419 Viewable per the graph above, 219 of breached industries were financial. Coming in second, professional industries stood at 54 breach reports, followed by “other” at 48, healthcare at 41, manufacturing for 31, and education at 25.
Nature of Massachusetts Incidents and Breaches
In order to defend against future cyberattacks, it’s important to understand and analyze what is happening on the ground.
What Industries are at an Increased Risk for Breaches?
Per the industry count table graph above, businesses in the financial services industry are at the highest risk for a cyber attack. In the summer of 2019, the commonwealth’s financial service industry suffered 217 breaches alone, or 52.2% of the total number reported. Surprisingly, the notoriety of the institution didn’t sway cybercriminals: some lesser-known institutions like St. Mary’s Credit Union were affected while other big players like Wells Fargo, Discover, and Capital One also fell victim to cyber-attacks.
According to the 2019 Verizon DBIR, 88% of attacks against financial institutions were motivated by financial reward while the other 10% were motivated by espionage. Financial institutions were targeted by external threat actors 72% of the time, internally 36% of the time, by multiple parties 10% of the time, and partners 2% of the time.
How are Cyber Criminals Getting In?
Phishing campaigns are popular; where cybercriminals forward a legitimate-looking email to bank employees containing an unsecured link. The goal is to get an employee from the bank to enter their login credentials, or other sensitive network information, under the guise of a legitimate questionnaire, HR email, or even survey in hopes of gaining access to the entire network.
Ransomware is one of the most widely used attacks against financial institutions and the most costly. Ransomware is usually spread through a phishing email or through visiting an unsecured website. Ransomware techniques continue to evolve, so it is important to continually train employees on what not to click on. Additionally, filtering out of network emails and preventing users from visiting unsafe websites will help to reduce the risk.
In a ransomware attack, users will not be able to log into the system until they have paid the hackers a ransom, usually in untraceable bitcoin. If the network user does not pay, the hackers can keep important company data locked up and even threaten to expose embarrassing photos.
Some other methods of attack include malware, distributed denial of service (DDoS) attacks, corporate account takeover (CATO), and automated teller machine (ATM) cashouts.
Other Industries Targeted in Massachusetts
Furthermore, professional services suffered a 12.9% breach rate, followed by “other” businesses at 11.5%, healthcare a 9.9%, manufacturing 7.5%, and education at 6% breach rate.
Professional services include occupations similar to business consulting, payroll management, accounting, engineers, doctors, lawyers, architects, and marketing agencies. The biggest professional services industry breach occurred with The American Express Travel Related Service Company, Inc. This is a large business operating under American Express. The breach affected 1917 Massachusetts residents alone exposing consumer’s debit and credit card information.
What Damages can Arise as a Result of a Cyber Attack?
The cost of restitution greatly depends on what current security you have in place already, what kind of attack was perpetrated and the scope of the overall attack. Additionally, it is hard to factor in how badly damage to the business reputation will factor in future earnings: as a breach can impact churn rate, referrals, and the overall valuation of a company. Think about how much more difficult it will be to attract future customers to a company with a breach on its record. With all of these factors in mind, the cost of lost business was highest for U.S companies at $4.13 million per company.
On average, malware and web-based attacks are the costliest forms of breaches: costing companies 2.4 million dollars. Smaller businesses may pay less than 2.4 million dollars in damages, but statistics prove that small businesses invest less than $500 in cybersecurity services yet are targeted half the time. While small businesses may have a lower monetary cost to mitigate a breach, an attack may stunt and even shut a small business down for good. Additionally, if individual records are lost or stolen (containing payment information, SSN, etc.), it costs businesses on average $141 per individual. Companies who suffer over 50k compromised records see an average restitution cost of over $6.3 million dollars.
The top 5 Massachusetts breaches so far include:
- Quest Diagnostics, Inc., a financial services institution affecting 123,978 Massachusetts residents. SSN, account numbers and credit/debit information was compromised.
- Retrieval-Masters Creditors Bureau Inc., a financial services institution affecting 112,958 Massachusetts residents. SSN, account numbers and credit/debit information was compromised.
- Dominion Dental Services, Inc., a large healthcare institution affecting 5,618 Massachusetts residents. SSN and account numbers were accessed.
- Capital One, a large financial services institution affecting 5,438 Massachusetts residents. SSN, account numbers and credit/debit information was breached.
- Princess Poly Group Pty Ltd., a manufacturing business affecting 3,184 Massachusetts residents. Only credit/debit information was compromised.
How Do Most Breaches Begin?
Cybersecurity MA data indicates that breaches are shown to originate 85.6% of the time from cyberattacks, while 12.7% of the time breaches originate from paper sources (i.e., physical files physically stolen and/or intercepted). 1.7% of the time, the source of the breach is undefined.