In a Verizon Data Breach Investigations Study, they found that 71% of breaches occurred in businesses with less than 100 employees. You would think that Small to Midsize Businesses (SMBs) would be very worried about security. And many SMBs might be worried but for the majority they just don’t believe that they need to worry or that they could be a victim. One of the issues is that we typically hear about large corporations experiencing a data breach (Target, Home Depot, Sony, etc.). There isn’t a lot of information about SMB breaches. One of the reasons is that SMBs are not public companies and in many cases there are no requirements to publicly announce that they have had a data breach. And even after they notify affected individuals of a breach it usually does not make the evening news or online news sources.
A unique peak into an SMB breach
Whenever I come across a documented SMB breach I try to share it. It is very important to get SMBs to understand the risks they face and to take the necessary precautions to protect themselves. The following story from FleetOwner describes what happened to a small trucking carrier. I urge you to read the whole article but here are some highlights.
It started with a simple email back on June 8, recalled Zachary Chilson: a truck driver application with a resume attached, no different from hundreds of others received every week by OutWest Express LLC, a 150-truck long-haul fleet based in El Paso, TX.
Yet when opened, the word document attached to that email appeared completely blank, said Chilson, OutWest’s VP.
Except it wasn’t.
Malware Infection and Ransomware
In actuality, that “blank” word document served as cover for a powerfully encrypted malicious software or “malware” virus. When the recruiter closed that document – it looked blank, after all – it quickly went into the main server’s “shared file” and began to wreak havoc.
“I’ve learned that’s called a ‘ransomware’ virus,” Chilson explained during a presentation at the American Trucking Associations (ATA) annual Management Conference & Exhibition (MC&E) this week.
Lack of complete backups
To make matters worse, Chilson learned from his information technology (IT) department that they hadn’t backed up their server correctly, so a lot of critical company information remained out of reach. In the end, he said OutWest had to pay an outside firm to conduct what’s called a “forensic recovery” – “that was very expensive,” Chilson stressed – that ended up returning most, but not all, of the carrier’s “ransomed” data
“We didn’t get all of our files back, so we had to start over from scratch in many ways,” Chilson pointed out.
Hackers use stolen customer information
“They’d stolen all our customer data out of our server and apparently started calling the brokers on our lists, booking loads under our name and insisting on cash advances,” he said – cash advances that totaled up to $800 per load in some cases.
“We had all kinds of sensitive data files stored in our server; tax returns, social security numbers, things like that,” he said. “So now we’re stuck waiting to see if they try to use any of that.”
Authorities ignore request for help
Even worse in some ways, despite multiple attempts, Chilson could not get law enforcement interested in investigating the hacking of OutWest’s server – despite the fraud being committed in the carrier’s name.
“We called the local [police] authorities; they provided no help. They didn’t even write up a police report,” he said. “We even tried the FBI [Federal Bureau of Investigation] but got nowhere.”
Albert “Bert” Glen, a cybercrime prosecutor with the U.S. Attorney’s Office for the Eastern District of Pennsylvania, noted during the discussion that the dollar value of such crimes may be one reason limiting law enforcement interest, as many agencies don’t get involved if the crime involves damages of less than $100,000.
Note: at a recent conference I heard a former FBI employee state that federal agencies won’t get involved with a case unless it has damages of over $1,000,000.
Decided to help spread awareness
OutWest’s Chilson echoed that perspective during his presentation at ATA’s MC&E this year, adding that spreading the word about how critically important Internet security is to trucking companies large and small is why OutWest decided to share their “hack attack” story.
“The biggest lesson we’ve learned is that you just never have enough computer security,” he said. “Computers are simply the gateways to businesses today and must be protected as such.”