The New Employee and the IT Impostor
Cautionary Tale: A $800K Breach for an Insurance Agency with Outsourced ITUPDATE: INSURANCE CLAIM DENIED!
UPDATE: Since this article was written, the agency has recovered from the breach, completed their notifications and other legal obligations. However, being an insurance company who actually sells small businesses Cyber Liability Insurance, they had a $3M policy to cover them for cyber attacks like the one written about in this article. Because the digital forensics investigation revealed the methods of the attacker(s) and the measures that were in place at the time of the attack, it was discovered that several measures that were required by the policy had not been maintained or properly implemented. As a result, the insurance carrier denied the agency’s $742,000 claim and required them to pay for services rendered by the insurance company themselves in assisting with the breach response amounting to more than $70,000. It’s telling when you consider the fact that even a team of insurance experts with a managing partner who is an attorney as well can end up in a situation like this simply because they thought their IT company “had them covered”.
In the fast-changing world of technology, businesses face increasingly sophisticated threats. This article examines a real-life social engineering attack on a large insurance agency, highlighting the tactics employed by the cybercriminal and the subsequent impact on the company. By analyzing the incident and the measures taken to address it, we aim to shed light on the importance of robust security practices and the lessons learned from this unfortunate event.
Overview of the Incident:
The cybersecurity incident unfolded when a criminal posed as a cybersecurity consultant and contacted the insurance agency, soliciting information about their IT support. The receptionist, unaware of the deception, willingly shared details about the agency’s IT provider and their main contact. Armed with this information, the criminal later targeted a new employee who had recently joined the company. Using the employee’s publicly available information on LinkedIn, including her job details and start date, the attacker gained her trust.
During a lunchtime call, the criminal convinced the inexperienced employee to grant remote access to her computer, claiming to address a “maintenance issue.” The criminal then asked her if she wanted to head out for lunch sinc he wouldneed to use the computer for about an hour anyway. She thanked him and left the office leaving him unattended with remote access to her computer. Seizing the opportunity, the attacker accessed network shares, uploaded information to his cloud storage, planted remote access tools, and deployed ransomware to encrypt files on the network share. Although the ransom was not paid due to the agency’s immutable backup, they did suffer data loss of three days’ worth of information due to an undetected backup failure.
Immediate Consequences and Cost of the Breach:
The agency faced several immediate consequences as a result of the breach. Since personally identifiable information (PII) was accessed on the compromised network share, they had to undertake a digital forensics and incident response (DFIR) project. Additionally, the agency hired a data breach lawyer and incurred significant expenses associated with data breach notification letters sent to all affected individuals.
In terms of costs, let’s consider the following estimates for this breach:
DFIR project: $50,000
Data breach legal counsel: $75,000
Data breach notification for 30,000 records with non-medical PII: $626,750
Additional remediation costs and incident response efforts: $50,000
Total estimated cost: $801,750
Reasons for Changing Managed Service Provider (MSP) to Managed Security Services Provider (MSSP):
This incident prompted the insurance agency to terminate their relationship with the MSP and engage an MSSP that specializes in cybersecurity.
Lack of Identity Verification Protocols: The MSP did not have proper identity verification protocols in place, allowing the hacker to manipulate the employee by impersonating a consultant. An MSSP ensures strict identity verification procedures for all interactions.
Inadequate Application-Based Zero Trust: The MSP did not implement application-based zero trust architecture, which would have prevented unauthorized software installation and restricted access to critical systems. An MSSP prioritizes robust zero trust frameworks.
Insufficient Access Control: The MSP did not enforce proper access control measures, allowing the attacker to exploit the employee’s elevated privileges. An MSSP emphasizes the principle of least privilege to limit access authority and minimize potential damage.
Comprehensive Security Awareness Training: An MSSP provides thorough security awareness training to educate employees about social engineering tactics and the importance of maintaining confidentiality.
Proactive Backup Monitoring and Testing: An MSSP ensures real-time backup monitoring and frequent testing to guarantee the integrity of backups, minimizing the risk of data loss.
The social engineering attack on the insurance agency serves as a sobering reminder of the importance of robust cybersecurity practices. By learning from this incident, organizations can enhance their security posture and protect themselves against evolving threats. Implementing identity verification protocols, application-based zero trust frameworks, access control measures, comprehensive security awareness training, and proactive backup monitoring can significantly reduce the risk of social engineering attacks and mitigate the potential impact of a breach.
By Derreck Ogden
Fill out the form below and one of our expert team members will contact to you to talk about your business’s bright future in these uncertain times!
Contact Us Today!
Your business is constantly exposed to cyber threats that could damage your reputation, compromise sensitive data, and even bring operations to a halt. Waiting to take action against these threats puts your business at a greater risk of attack. It’s time to take control of your technology infrastructure and protect your business. Don’t wait any longer to get started.
Connect with the WOM Technology Management Group today and take the necessary steps towards securing your business. Our team of experts will get back to you within one business day to begin your journey towards confidence in your technology infrastructure.
Our Confidence as a Service™ model offers a unique approach to technology optimization and cyber risk management. With our comprehensive suite of services, we can help you achieve your business goals and reduce the likelihood of cyber attacks. By working with us, you’ll have access to a team of professionals with years of experience in technology and cyber risk management.
We are excited to work with you and show you how Confidence as a Service™ can revolutionize your business technology infrastructure. Don’t hesitate any longer to make the change your business needs. Contact us now and let’s get started.