The unfortunate trend of phishing emails is not just confined to relatively harmless, time-wasting emails that a well-trained (in terms of information security) employee can spot and delete without much concern. Sometimes these phishing attempts can actually cause major data breaches that can cost organizations a lot of money and possibly even damage their reputation, all because an untrained or careless employee opens and them and downloads an attachment.
This article will detail five instances where phishing emails led to real-world data breaches.
What is phishing?
For the few of you out there that are still scratching your head when I mention “phishing,” we’re not referring to either the vacation pastime or what you say when you are playing hooky. Phishing is an email-based form of cyberattack where the attacker poses as someone the recipient knows or does business with, with the intent of getting the recipient to download an attachment or click on a link. Attackers play on the trust of the victim and trick them into action. This can lead to data disclosure or malware infection, resulting in disastrous data breaches.
1. New York Oncology Hematology attack
New York Oncology Hematology (NYOHA), a cancer care and blood disorder service provider based in Albany, New York, fell victim to a phishing email scheme in April 2018. This phishing scheme consisted of email directed at NYOHA employees and patients. The attackers used what was deemed a “sophisticated” phishing scheme where NYOHA employees and patients were prompted with a NYOHA login page that requested users enter their email sign-in credentials. The data they entered was then used to access these email accounts.
When the investigation was over, it was determined that at least one email account containing protected health information (PHI) was breached, exposing unauthorized PHI to the attackers. NYOHA responded by offering affected employees and patients one year of free credit monitoring and identity theft services.
2. John Podesta email attack
In March 2016, Hillary Clinton’s campaign chairman John Podesta was apparently the victim of a phishing attack launched by Fancy Bear, a Russian hacking group. The original phishing email would have made most anyone with proper information security training cringe.
On March 19th, 2016, Podesta’s Gmail account received a strange email with a stranger email extension of googlemail.com. The email was titled “Someone has your password.” It gave a timestamp and location stamp of Ukraine and offered a shortened bit.ly URL to click on to change the password. The email can be found below:
It was determined that the shortened bit.ly URL was clicked on to change Podesta’s password, and within months Podesta’s emails were leaked through WikiLeaks.
What’s even more troubling is that Hillary Clinton’s help desk professional, Charles Delevan, opined that the original phishing attempt was a legitimate email and that Podesta needed to change his password. If it were not for this poor analysis of a phishing email, Podesta’s emails may not have been leaked at all. Taken as a whole, this situation shows that proper information security awareness may be a key factor in the outcome of elections.
3. Xoom Corporation
Xoom Corporation was a target of a phishing attack in 2014 that cost the international money transfer organization significantly. In this attack, an email spoofing campaign was unleashed on Xoom’s financial department. This ignited a multi-agency investigation, which resulted in some major internal upheaval. Xoom’s CFO resigned and Xoom’s audit committee began an investigation of the matter with the help of independent advisors. To prevent similar incidents from occurring in the future, Xoom has implemented additional internal procedures.
The immediate financial impact of this attack was $30.8 million. Xoom’s stock also dipped 14%, which cost approximately $31 million. Clearly, phishing attacks which lead to data breaches can cost organizations dearly.
4. University of Kansas attack
In July 2016, employees of the University of Kansas fell victim to an email phishing scheme which cost them their paychecks. This phishing attack consisted of requests for the employees to update their payroll information. Updating this information allowed the attackers to alter the direct deposit banking information of those who actively responded to their update requests. According to a University of Kansas spokesperson, five employees responded to this phishing attempt and three employees ended up not receiving their paychecks.
The University of Kansas responded to this incident by sending out a mass information security awareness email, highlighting the risk posed by phishing emails and how to spot them when they find their way into your inbox. It is safe to say that had this email had been sent out before the phishing attack, at least one of the affected employees would have not fallen for it.
5. Ubiquiti Networks attack
On June 5th, 2015, San Jose wireless networking technology company Ubiquiti Networks discovered that they had fallen victim to a phishing scheme, costing them millions. Using both employee and executive impersonation, $46.7 million in Ubiquiti’s funds were transferred to the attacker’s bank accounts in third-party banks. The scheme later turned out to have originated from their Hong Kong subsidiary.
Ubiquiti has since recovered up to $14.9 million of the funds and is cooperating with both federal and international authorities to attempt to recover the rest. It was discovered that the attackers did not penetrate Ubiquiti’s IT infrastructure and that no malicious insider activity occurred, which highlights the destructive ability that a seemingly harmless email can cause when real-world data breaches strike.
Phishing email attacks can result in real-world data breaches which can cost organizations significantly. Attackers have proven successful in instigating data breaches in a wide variety of different organizations in different industries, but one of the strongest links between all of these cases is at least a hint of employee error regarding how they responded to these phishing emails.
Robust information security awareness training highlighting the specific perils of phishing emails and how to identify them may have been all that was needed to stop these data breaches. There is no doubt that information security training should be implemented in all organizations to prevent phishing attacks from being successful.