by Josh Arrington
Another week and yet another high-profile data breach with potentially disastrous implications. Already, this attack has forced one of the officials involved with the organization to refer to the exposed data as “political dynamite.” Let’s dig into this breach and the rest of this week’s headlines in our IT Security Rewind:
IMF—Stable but not secure: The biggest news item of the week actually originated over the weekend, when word first broke that the International Monetary Fund—an organization of 187 countries committed to ensuring the stability of the international monetary and financial system – was the target of a sophisticated computer security attack. While details on the culprits and severity of the attack are still only trickling out, Government Computer News reports that the hack may have been carried out by a foreign government. The coordinated attack, which resulted in the loss of a “large quantity of data” relating to “sensitive country financial information,” was likely initiated by an old school spear-phishing attack, but is there more to the story? Typically, spear phishing and similar tactics are simply the door hackers use to enter an organization—once inside, they use and exploit elevated privileges to reach their destination and the troves of sensitive data stored across systems.
Not Summer in the Citi: Last week’s massive Citigroup data breach continued to attract headlines. While the bank divulged that the attack affected 360,000 credit card customers, according to the Financial Times, U.S. officials are demanding more details regarding the extent of the breach and its potential for reoccurrence. The article also suggests that the breach not only calls into question the relative lack of regulation in place to protect consumer data, but also the security of online banking websites. In this instance, attackers may have been able to leverage flaws in the website’s programming language or the way it is administered.
Data Breach Notification—The Law is Taking a Stand: As this eWeek article points out, the United States Congress continues to push for new data breach legislation. This time, Congressmen have filed legislation that would require companies to notify customers when a data breach has occurred within 48 hours following the completion of an incident assessment. However, other Congressmen have expressed skepticism over this pending legislation—will this law just result in stalling tactics? What’s your take—would this law have a positive impact on the industry? Is there a better alternative?
That’s it for this week’s Rewind. As always, your comments are encouraged!