A few months back I heard in the news about a major breach of a very large organization (who will remain nameless). This breach affected tens of thousands of people and their personal records. It affected the customers of this organization as well as the employees. It was a huge embarrassment to the management. And what is worse it did not have to happen. This organization had opportunities to bring their security posture into the 21st century and they did not. In fact they were running on security technology that was at least 9 years old and completely inadequate. Keep in mind that security technology older than three years can be outdated. Not to mention a security policy that was almost nonexistent. The attacks were not particularly persistent or creative or forceful. They were what most attacks are opportunistic. Hackers looking for the easy soft target and they found a really soft one.
Not Her Fault
So my wife happened to work at this organization and did not hear anything for a few weeks. Then all of a sudden she gets this email ostensibly saying it is from Chase and for her to enter her debit card information into a special online form. She should have known better but she went ahead and entered her information. But since she only had an ATM card and not a debit card she could not put an expiration date into the online form. This accidentally foiled the hackers. This was a classic phishing attack. To the trained eye it is not that sophisticated. But once again these guys were opportunistic. The hackers had already sold my wife’s information to a phishing criminal organization. But we were able to dodge the bullet of this particular phishing attack.
Who Is Who
Once again minding our own business I went to do my taxes with my accountant. He called me a couple of days later and told me that someone had already filed a tax return for my wife! Now it appeared that the hackers had sold my wife’s information to another criminal organization. My accountant would now have to file a report and we would have to contact the IRS and prove to them my wife is the actual person, then they would issue a special code for us to deal with the IRS in the future. Now that her identity is stolen we will never get it back. And we will have to deal with these issues for a long time to come. All the breached organization would have to have done is even common security procedures and policies. The importance of understanding the repercussions of not protecting customer’s data cuts a wide swath into the entire user community. Don’t be the company that ends up in the news.