Yesterday afternoon, reports started being published that The National Childbirth Trust (NCT) had suffered a data breach. The charity has apologised to 15,000 new and expectant parents after their registration details were accessed in a “data breach”. The NCT sent a message to its members saying that their email addresses, usernames and passwords had been “compromised”. The incident has been reported to police and the UK’s data watchdog. The NCT stressed no other information had been accessed. A spokesman confirmed 15,085 users were affected and said: “NCT has suffered a data breach which, regrettably, has caused some users of our website to have their registration details compromised.
Commenting on this. Simon Crosby, CTO and co-founder at endpoint security firm, Bromium, said “This incident at The National Childbirth Trust will be a wake-up call for people. But it’s not the first. Certainly it will provide a clear message to chief execs that if something like this happens then they can expect to be paraded in front of a voracious media – and they’d better have some good answers to some tough questions. Businesses have no excuse that they were not aware nor prepared for such attacks. They’ll need to prove that they took all reasonable steps to protect themselves. How they respond may be the difference between a damaging incident, and fatal disaster.
When we hear about attacks that have persisted on a compromised system for weeks or even months before detection, it is unlikely that hackers were waiting to take advantage of the breach, but far more likely that existing detection-based systems failed to properly respond to the attack. Organisations invest in a broad array of security solutions with the promise of actionable security insight, but the reality is that they are swimming in a sea of false alerts. Understanding hacker behaviour is as difficult as looking for a specific needle in a haystack that is 50 feet tall and made of other needles. When a hacker breaches a system, they will squeeze it for anything of value, including compromising endpoints for botnets, servers for bandwidth and of course the imminent threat of lost intellectual property or financial information. For end users and security teams this manifests as a noticeable decrease in system performance and unusual network connections, among other factors. If organisations are serious about keeping hackers out of their systems, they need to embrace proactive protection as the foundation of their security architecture. For example, hardening and isolating systems prevents data breaches, eliminating the need for costly detection and response.
Richard Cassidy, technical director, EMEA at Alert Logic added “The breach at The National Childbirth Trust highlights the challenge all organisations face in today’s cyber threat landscape and reiterates the fact that a fundamental change in our approach to data security is required across the board. Attackers leave digital fingerprints in their network activity or system logs that can be spotted if you know what to look for, and have qualified people looking for it. Through monitoring systems 24×7 and being able to distinguish normal from abnormal, organisation can identify and act against sophisticated attackers.
In reality it is becoming a great deal easier for hackers to exploit vulnerabilities on key data platforms, given the wealth of resources and information sharing on the cyber criminal underworld. In many respects organisations need to shift their focus to the view of “when” and not “if” a data breach or attack will occur. CISOs and CTOs need to learn from the wealth of information available on past high-profile breaches, and align their Cyber Security Strategy accordingly.
We can no longer rely on our point security tools to remain effective in isolation against the proliferation of threats and exploits we are seeing today. Security strategy needs to be intelligence driven, combining big-data analytics poised to detect indicators of compromise combining the wealth of data across all security toolsets, identifying both “sledge hammer” and “needle-in-haystack” breach styles. Equally importantly how well organisations protect their “data at rest” will go a long way in helping give customers the assurance that the best was done to protect their data and limiting the collateral damage in the aftermath of such a breach. As organisations we can only do so much, but unfortunately not many are doing enough. Boardrooms need to put cyber security risk and strategy back at the forefront of their agendas.”
If you use any services whose data, if stolen and made public, could be used against you, then edit your profile now to include false information and a fake email address, or an alternative, randomised, non work email address from an online provider.”
Robert Capps, VP of business development at NuData Security concluded “This newly reported breach comes hot on the heels of a plethora of >other data breaches. Yet another stark reminder that personal data is a desirable target for cyber criminals. A recent CyberEdge Group report uncovered a shocking statistic: 52% of security professionals surveyed, say their organisation will likely fall victim to a successfully cyber attack in the next 12 months. Security teams are finally waking up to the new reality when it comes to hacking – it’s more of a question of ‘when’, and not ‘if¹ they will be breached. No matter how diligent an organisation is in its’ efforts to protect personal data, the data is still getting out there.
It is imperative that consumers who were subject to the recent breach verify they are not using the same compromised user credentials on other sites, and if they are, change them as soon as possible. This is yet another reminder and opportunity, for consumers to implement the proper precautions when it comes to online security, and stop reusing the same username and password on more that one site – virtually eliminating the risk that the compromise of a single website will result in the loss of control of a number of online accounts owned by the same consumer.
Consumers should also get in to the habit of enabling available multi-factor authentication technologies provided buy any online services, such one-time codes sent via SMS to a legitimate consumer’s mobile device. While such authentication techniques introduce a level of friction and poor user experience that consumers often find distasteful, they are an effective deterrent against the most common methods of inappropriate access to legitimate accounts until better solutions for positive identify verifications are more broadly rolled out across online services.
As the amount of stolen personal data continues to skyrocket, traditional authentication techniques such as static usernames and passwords, and other fact-based authentication, will become far less effective. How we address the usefulness of this data, will greatly shape the quantity and scale of future data breaches, and related identity crimes to come, so it’s well beyond time for the online services themselves to evolve in the methods used to authenticate users, moving away from static usernames, passwords, and secondary knowledge based authentication questions such as the color of your first car, or derived from public records or a consumer’s credit file. Such static data has long been insufficient in providing an appropriate level of authentication and substantiation that the user trying to access an online service is the legitimate consumer that owns the online account. Established technologies such as continual behavioural analytics and passive biometrics, have proven themselves as strong solutions for increasing the accuracy of online authentication by evaluating hard-to-replicate and impossible-to-steal user behavioural signals, while decreasing the friction presented to consumers in the process.”