Contact Us
Cart
Item added Item updated Item removed No more products on stock You entered wrong value.

No products in the cart.

Cart
Item added Item updated Item removed No more products on stock You entered wrong value.

No products in the cart.

Blog

My accountant made it too easy for hackers to steal my data, and so did these three big companies.

June 20, 2024
Posted by Andre Marion
Cybersecurity: companies that made it too easy for hackers.

Tax season ‘24: I’m on a call with my accountant, and she says she will have to log into my local social security account to perform some essential operations. “Okay, I’ll give you my credentials so you can log in,” I said. “It’s ok; I still have it saved here from last time,” she replied.

The last time was about six months ago, and I haven’t changed my password since (my own mistake here).

My inquisitive, cybersecurity-oriented mind exploded!

“Let me ask you: where do you usually save these passwords?”

“Oh, I have an Excel spreadsheet with all my clients’ passwords. It’s all quite organized.”

“I imagine you have a strong password to protect all these passwords, right? It would be pretty bad if all this sensitive information got in the wrong hands.”

“No, I don’t need to, though. It’s stored in a secret folder hidden in my system.”

Password management done wrong

You, dear reader, can imagine how gravely dangerous this is and how terrified I was to discover that someone in charge of keeping such critical information could be so negligent with their cybersecurity practices.

If this information were to fall into the wrong hands, the potential damage to my life and anyone else on that list would be enormous.

You might say, “Oh, but this is just a small accountant!”

Not so fast. Let’s review similar cases with well-known companies.

Three big companies that made it too easy for hackers

01 - Sony and Their password.txt Files

San Mateo / CA / USA - Sony sign at the Sony Interactive Entertainment offices in Silicon Valley;
Image: AdobeStock

The giant Japanese multinational conglomerate has a talent for breaches, with multiple attacks targeting Sony Pictures and the Playstation Network.

In 2011, Sony Pictures and the PSN were hacked, and hackers leaked millions of users' personally identifiable information. In 2014, Sony was hacked yet again.

Despite numerous breaches in their history, what sets these two incidents apart is that in both cases, hackers accessed this information via unprotected Excel and Word documents.

Thousands of data pieces, passwords, log-ins, financial information, and social media credentials for hundreds of major motion picture accounts were leaked in an easy-to-prevent mistake.

Sony leak 2014 password management
Some of the obvious password files found during 2014’s leak

02 - How Verizon gave free access to six million people’s data

Image: AdobeStock

Imagine being C-level in a company with a presence in over 150 countries, 118 thousand employees, and around 115 million customers worldwide. Then imagine having to come forward to explain that “John,” from customer service, allowed public access to your cloud drive, exposing phone numbers, addresses, PINs, emails, and more information from 6 million customers.

Verizon experienced this in 2017 when a third-party vendor failed to configure its Amazon S3 storage unit properly.

The worst part is that these Amazon servers are secured by default, meaning someone accidentally changed a security setting, exposing all the data.

Luckily for Verizon, the issue was caught by a researcher at UpGuard before it could be leaked.

Discovery and Public Disclosure

Chris Vickery, a security researcher from the cybersecurity firm UpGuard, discovered the breach and notified Verizon of the exposure. The company promptly secured the data and launched an investigation, claiming no evidence of data theft or misuse was found.

The reputational damage was done, nevertheless.

Verizon’s sftp server - UpGuard
Verizon’s SFTP server - UpGuard

03 - Facebook exposed up to 600 million passwords

Image: @starline

In 2019, Facebook was once more in the limelight for exposing up to 600 million user passwords.

During a routine security review, Facebook discovered that user passwords were stored in a readable format internally instead of being adequately masked.

Although Facebook promptly fixed the issue, in some cases, these passwords had been searchable since 2012 and easily accessible by over 20,000 employees. In total, this meant 200 to 600 million passwords were compromised.

Facebook exposed up to 600 million passwords. - Image: thaspol

What do my accountant, Sony, Verizon, and Facebook have in common?

The answer is clear: the human factor. My accountant doesn’t have a CISO to educate her on cybersecurity, nor an entire IT team to configure her computer and implement the latest protection software and policies. 

The big companies I mentioned had massive teams of highly skilled professionals ready. However, at the end of the day, these companies, like yours, are comprised of regular human beings like my accountant. These employees are susceptible to mistakes; most are not tech-savvy, yet they are the first line of defense for multi-billion dollar companies.

These employees most likely participated in the mandatory cybersecurity training, where they learned little and forgot everything within a couple of weeks.  

How do I keep cybersecurity awareness at the top of mind in my organization?

“Your cybersecurity is as strong as your least prepared employee.”

It’s not a matter of whether an attack happens. It’s a matter of WHEN. Because IT WILL HAPPEN.

When scammers surround your digital fortress, lurking around every corner and testing your defenses multiple times a day, your team will need to be vigilant and well-prepared to respond.

Yes, you trained them twice last year and gave them all the necessary information. So why are they still susceptible to making careless mistakes?

Some of the main differences between your regular annual cybersecurity training and year-round cybersecurity awareness include:

  • Consistency: Consistent messaging is key. Long intervals between awareness sessions favor the forgetting curve, which is how quickly employees forget newly learned information. Employees should engage with current cybersecurity themes and events at least once a month.
  • Snackable Content: Delivering bite-sized information over a more extended period is much more effective than dropping a ton of content in a couple of sessions over the year. Your staff already has a lot on their minds: day-to-day work, chores, family, finances, and career. Consistently sharing just enough cybersecurity information makes it easier for people to digest it.
  • Relatability: As leaders committed to our organizations, sometimes we’re so preoccupied with protecting our company that we overlook that many employees are not nearly as concerned about the company’s servers as we are. The good news is the principles of corporate cybersecurity are also applicable to personal security, and vice versa. Therefore, by teaching employees how to safeguard themselves and their families, they are more likely to remain vigilant about security at work.

“Consistently delivering bite-sized, relatable cybersecurity content, applicable in your employees’ personal and professional lives.”

That is the answer!

How can Aware Force make me a hero and promote massive employee engagement in cybersecurity?

We have the perfect solution if you’re committed to taking cybersecurity to a new level in your organization.

Our offer is simple:

  • Massive employee readership makes you the hero
  • Real-time metrics dashboard, generating amazing ROI
  • Insanely easy to implement and cost-effective
  • All branded for your organization

Our team is standing by to show you some of the innovative ways organizations use Aware Force to engage their employees. (And the employees let them know how much it’s appreciated!)

Get in touch with us here at https://awareforce.com/contact-us/ :

Sources: Forbes, UpGuard, Arstechnica, Buzzfeed, Krebs on security

Get the latest insights in cybersecurity. Subscribe to the Aware Force Cyber Blog
Insightful cyber news, fresh ideas for engaging your employees and more.
Let's connect!
Learn innovative ways organizations are using Aware Force.
Phone
(470) 448-3887
Email
cutrisk@awareforce.com
Contact US

© 2024 Aware Force LLC - All Rights Reserved - Privacy Policy
usercartmagnifiercross linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram