Is nothing sacred anymore? Now the Louisville Zoo membership information has been breached!
A third-party vendor that the Louisville Zoo uses to send out emails to its patrons was hacked. This is an example of a supply chain cyber attack. (That is when a vendor/partner has legitimate access to a client’s information systems and a cyber threat actor uses that access to execute an attack, steal data, or launch a ransomware attack.)
According to the press release from the Zoo, the information maintained on the hacked system included names, email addresses, physical addresses, membership numbers, and membership levels. They reassured patrons that no sensitive information (i.e., payment card information) was stored with the service.
While it may seem that the information obtained is not that dangerous, consider for a moment that the information is enough for a threat actor to reach out via email, text or phone call representing themselves as a zoo official asking for payment information, social security number, birthday, etc.
Not only is this an example of supply chain dangers, it should also be a wake-up call for any non-profit or membership-based organization.
For any organization that depends on donations, membership dues, sponsorships, etc., the marketing strategy depends largely on an emotional connection with your members. They believe in your cause. They trust in your work to do good things. And they trust that the support they send is used for those good works.
A breach of data is also a breach of trust. Even though a third-party intrusion is not technically the fault of your team, it is your organization’s name on the press release. It was your organization that utilized that vendor, and the information was data you collected.
What can you do? Implement Vendor Risk Management policies and procedures. Use due diligence to ensure your vendors are well vetted by implementing proper cyber security procedures. And ensure your organization does as well.
CYBER NEWS
FEMA warns emergency alert systems could be hacked to transmit fake messages unless software is updated
FEMA warns emergency alert systems could be hacked to transmit fake messages unless software is updated
Vulnerabilities in software that TV and radio networks around the country use to transmit emergency alerts could allow a hacker to broadcast fake messages over the alert system, a Federal Emergency Management Agency official tells CNN.
edition.cnn.com • Share
One in five data breaches due to software supply chain compromise, IBM report warns
One in five data breaches due to software supply chain compromise, IBM report warns
Attack vector cost businesses 2.5% more in one year
portswigger.net • Share
Aetna Reports 326,000 Affected by Mailing Vendor Hack
Aetna Reports 326,000 Affected by Mailing Vendor Hack
Health insurer Aetna ACE reported to federal regulators a health data breach affecting nearly 326,000 individuals tied to an apparent ransomware incident involving
www.bankinfosecurity.com • Share
70% of Cyberattacks Are Ransomware and Business Email Compromise
70% of Cyberattacks Are Ransomware and Business Email Compromise
Ransomware attacks were also among the top reported attacks in the last 12 months, with 7 industries considered most at risk.
tech.co • Share
TIP OF THE WEEK
Protecting Your Digital Supply Chain
As the world becomes more interconnected and services are delivered digitally, cyber threats from third-party vendors is increasing. In a 2022 study by the Ponemon Institute, 56% of organizations have experienced a cyber breach from a third-party vendor.
Here are some steps to improve cyber security in your supply chain:
Ensure your own house is in order. That is, ensure your security is up to date and that your personnel are well-trained and cyber smart. If they see something awry, they should feel empowered to take action and know what that action should be.
Enact a policy of least privilege, limiting access to only that a vendor (or your employees) need for their specific function. Then, if a cyber breach occurs, the threat actor can only access that the user has permission to access.
Use Segmentation. That is, ensure that not everything in your system is on the same network. That way, if a breach occurs in one area of your organization, they cannot access more sensitive or critical data because it is segmented or “walled off” from the infiltrated area.
Conduct regular vulnerability scans and pen-testing to check for new areas of weakness and for the ability to penetrate your systems from the outside
CYBER HUMOR
VOCABULARY WORD
Supply Chain Attack: When an unauthorized person gains access to your system via an outside partner or provider that has legitimate access to your system.
TWEET OF THE WEEK
Commonwealth Sentinel
Commonwealth Sentinel
@CwealthSentinel
9 tips to prevent phishing https://t.co/itCToDUWpH https://t.co/kIf5QjG4jx
6:33 PM – 25 Jul 2022