Data Breach on the NCT
Big Implications of Small Data Breaches
Not the most obvious of targets
The NCT (or National Childbirth Trust) is a UK charity which provides support and networking for new parents through pregnancy, birth and into early parenthood. They state that they are “the UK’s largest charity for parents,” however in general, since membership carries a monthly fee, people join during pregnancy and, by the time their children are too big for the toddler group play sessions that the charity operates, they will have allowed their membership to lapse. Which would explain why in a recently reported breach of the NCT’s user registration database just 15,085 accounts had their credentials compromised.
Now, the theft of 15,000 credentials is not exactly the haul of the century. And we’re only talking email addresses, user names and encrypted password hashes – no financial or personal details were included in the compromised database.
So why bother?
You might have imagined that such “small fry” would not be worth targeting, yet statistics indicate that increasingly it’s not only big businesses and international organisations being targeted by organised cybercriminals. In fact, charities and healthcare organisations are seen as “soft targets” – they hold sensitive data yet the perception is that they are unlikely to be equipped to protect their information assets. A friend of mine is Information Security Manager for another, relatively large, UK charity, and, diligent as he is, he would be the first to say that their security budget is very much aligned with the “we’re a charity let’s hope that means we don’t get hit” mentality.
In the case of the NCT breach, although the details don’t appear to have been released, we can speculate that perhaps their database was not adequately secure, or their code did not adequately defend against SQL Injection. However the hackers got the data we might then speculate that with such a small organisation it is more likely (than with a big international organisation) that the encryption method employed might be outdated and hence faster to crack. Once passwords are recovered the hackers can automate the process of trying out the credentials on a long list of other sites, hoping that some will have reused their password elsewhere, granting them access to something of higher value.
Similarly, these types of organisations, and especially hospitals, police stations and schools have also seen a huge increase in ransomware attacks, and for similar reasons. They may be less likely to have as sophisticated backup systems and disaster recovery plans. They may be in the position where large scale data loss would not just be a setback, but something from which they could never recover. In the case of hospitals, it could well be the case that the cost of time spent trying to recover the data is counted in lives, not dollars. Whatever the reason, these types of organisations are just that much more likely to feel they have no choice but to pay the ransom. And thus this higher success rate (from the hackers’ perspective) means they’re that much more likely to be targeted too.
A Crime Wave
All this is not to say that big businesses are somehow getting off lightly, they too are seeing a consistent increase in cyber-attacks year after year. What this means is that the cybercrime ‘industry’ is growing, it is spreading, and the point is that nobody is safe.
According to the FBI, hacking victims in the US reported having handed over $25 million in ransom payments. That sounds like a lot, but for the first three months of 2016 that figure already broke $209 million. It’s being called a crime wave, but it’s more than that – it seems inevitable that ransomware will be a $1 billion ‘industry’ this year, multi-billion if growth continues each quarter. That is largely due to this expansion into more vulnerable sectors, with more specific targeting, and with increased ransom demands where hackers think they have a particular victim by the proverbials.
Upward Trends Everywhere
Symantec recently released their annual Internet Security Threat Report, and the highlights paint a grim picture.
- 125% increase in Zero-Day Vulnerabilities – now a commodity to be sold to the highest bidder for use in devastating targeted and/or mass attacks. 2015 saw more than 1 per week.
- 23% increase in Reported Identities Exposed, but, with an 85% increase in companies “choosing not to report the number of records lost”, experts give a “conservative estimate” of more than half a billion records lost in total.
- 75% of popular, legitimate websites continuing to operate with Major Unpatched Security Vulnerabilities. 15% deemed ‘critical’, meaning “it takes trivial effort for cybercriminals to gain access and manipulate these sites for their own purposes”.
- 55% increase in Spear-Phishing Campaigns Targeting Employees of both large and small businesses, with 43% of attacks targeting those with less than 250 employees.
- 35% increase in Ransomware – yet as we’ve seen, this has resulted in an apparent 3,344% increase in profit for the cybercriminals behind the attacks.
The Bottom Line
Repeated multiple times throughout Symantec’s Report, and a recurring theme in the vast majority of reports you will read, is the overriding message:
Nobody Is Safe. Be prepared.