Month: January 2012

24 Million Accounts Compromised in Zappos Data Breach

A network security incident was recently reported by online footwear and apparel retailer The Zappos data breach was one of the largest ever reported to have been suffered by a United States-based retailer.

Zappos data breach affects 24 million customers

Full details of the Zappos data breach have not been made public, although it is understood that a hacker managed to gain access to one of the servers in Kentucky that was used by the online retail giant. Once access was gained, the hacker responsible for the attack was able to access part of the company’s internal computer network and systems, and managed to obtain data held on approximately 24 million of the company’s customers. The Zappos data breach did not only affect US-based customers. Customers from countries all around the world were affected.

No credit card details were obtained in the cyberattack, as those data were stored on a different server; but personal information of customers was exposed, including their names, addresses, contact telephone numbers and some billing information. The Zappos data breach highlights the problems even large companies can have keeping data secure.

Big Name Brands Suffer Big Data Breaches

The Zappos data breach was one of a number suffered by well-known companies in recent months. Cybercriminals have been attacking large corporations and accessing their huge databases in order to steal customer data and corporate secrets.

Sony was attacked this year and hackers were able to steal the account details of 20 million purchasers of its computer games. Some credit card numbers were stolen, as well as names, addresses, email addresses, and contact telephone numbers. Some of the stolen data have been listed for sale on darknet websites. The information is purchased by cybercriminals and used for phishing attacks and spam email campaigns.

Cybercriminals are able to sidestep even highly complex cybersecurity defenses by targeting employees with phishing campaigns. Spammers send out emails in the millions in the hope that a few individuals will respond and install malware. In the case of Epsilon, employees were targeted with spear phishing emails. These were highly targeted, and proved to be very effective.

Epsilon reported that approximately 50 of its clients were affected by the data breach. Epsilon holds email lists for its clients. Some of those lists contain a considerable amount of data. The exact number of email addresses obtained by the hackers has not been disclosed, but Epsilon is understood to hold billions of email addresses and has 2,500 corporate clients. This data theft could well be the biggest ever recorded.

Is it possible to prevent cyberattacks?

Is it possible to prevent cyberattacks? Many small to medium-sized business owners may be wondering if there is much point paying for cybersecurity defenses if they can be so easily side-stepped. After all, if big corporations suffer attacks, what chance do they have of preventing an attack?

It is true that it is not possible to implement defenses than can eliminate all risk of an attack being suffered, but it is possible to keep risk to a minimal level by implementing multi-layered security systems. An intelligent approach, using a number of different strategies, will give the best protection. If no effort is made to secure a network, it will be attacked.

Anti-virus and anti-malware software are a must, as are robust firewalls. However, hackers often target employees with phishing campaigns. Employees are seen as the weakest link, and the easiest way of gaining access to a corporate network. Protections must therefore be put in place to prevent these attacks from succeeding. The best defenses are those that prevent phishing emails from reaching employees, and prevent employees from visiting phishing websites and falling for social media phishing attacks.

Email spam is easy to block with an anti-spam solution such as SpamTitan. Malicious websites can be blocked with WebTitan, which can also be configured to offer protection from social media phishing campaigns and malicious website ads.

With these controls in place, SMBs will be well protected from cyberattacks and should be able to do enough to convince all but the most skilled and determined hackers to give up and find an easier target.