Analysis: Hackers do not discriminate. They want data, any data.
15,000 new and expectant parents have become the latest victims of a data breach, following a hack on the National Childbirth Trust (NCT) which left email addresses, usernames and passwords compromised.
The NCT, a London-based charity which supports hundreds of thousands of new and expectant parents, said that no other information had been compromised, bar the email addresses, passwords and usernames of 15,085 users. Confirming the breach to the BBC, the NCT said:
"NCT has suffered a data breach which, regrettably, has caused some users of our website to have their registration details compromised. These details are limited to their email address, username and an encrypted version of the password that they created to register on the site.
"We stress that no financial or personal details are held as part of this data so no financial or personal details have been accessed."
After having discovered the breach on Wednesday 6 April, NCT contacted all users affected and detailed the breach and advised the changing of passwords and usernames.
This is just the latest data breach to go public – this year alone we have seen UK organisations such as Ofcom and University of Greenwich targeted by hackers and, of course, the biggest data leak in history has come to light in the form of the high-profile Panama Papers.
Then of course we have the infamous, and very recent, incidents concerning TalkTalk, VTech, Sony, Ashley Madison, United States Office of Personnel Management, Paysafe, LastPass, AT&T, Anthem, Target – the list, un fortunately, only gets longer.
As data breaches quickly become the crisis de jour, it might be easier to list companies which haven’t been breached.
However we can learn something from the long list of data breach victims. All span different industries – charity, telecoms, finance, government – but all have one thing in common. Data. This tells us that all data is fair game for hackers and cyber criminals, as Eduard Meelhuysen, VP EMEA at Netskope, said:
"The recent data breach reported by the National Childbirth Trust (NCT) reveals the extent to which criminals search for any vulnerable information. Although the charity has confirmed that no personal or financial information was accessed, over 15,000 expectant parents have now had their email addresses, usernames and passwords compromised. Just one in a seemingly never-ending chain of incidents."
The question is, how many more data breaches have to happen, how much more personal and sensitive data stolen, in order for companies to wake-up to the fact that passwords and existing security is no longer enough?
We know the minimum cost of a data breach to be upwards of £1.2m, and companies know that they are ethically and legally bound to protect user data. Yet still, businesses are holding their reputation, finances and customer data to ransom by not ensuring top level security.
James Romer, Chief Security Architect at SecureAuth, said: "For too long organisations have relied on passwords as the single form of access control and it is simply not strong enough, nor adequate to protect vital applications and data.
"If organisations haven’t yet learnt this from the many data breaches from the past year, then the news that The National Childbirth Trust has suffered a data breach, compromising email addresses, usernames and passwords should be a hefty reminder that businesses need to stop deploying such a minimal approach to authentication and take note that if they have something valuable, they are at risk from attacks.
"Organisations must strengthen their defences against cyber adversaries by employing cutting edge adaptive authentication. By layering multiple methods such as device recognition, analysis of the physical location of the user, or even by using behavioural biometrics to continually verify the true identity of the end user, not only will the customer maintain a simple user experience, it also makes stolen credentials completely worthless."
I do recognise, however, that cyber security has no simple answers. Insider threats and social engineering, multiple devices, malware, phishing – just some of a long list of threats and hacker tools which need to be considered when any company tackles security.
However, companies must start taking steps to assess the risk, understand the identified risks to their business, and startbuilding and deploying robust plans to minimise the chances of a cyber attack or data breach. I say minimise, not stop, as no organisation is immune from attack – as we now from recent cyber attacks and the NCT data breach, all data is fair game for hackers no matter the consequences for the victims.
"This latest attack against the NCT highlights that today’s IT criminals bear no consideration for the victims who ultimately bear the brunt of their illegal cyber handywork – be that through financial loss, reputational damage or mental distress. Said Richard Beck, Head of Cyber Security at QA.
"The sad truth is that the onslaught of cyber attacks is pretty much unstoppable. That said, organisations can defend themselves by training their staff and ensuring they have robust plans in place to minimise the chances of a cyber attack including an agreed – and rehearsed – plan of action."