Oh look, it's another day on the Internet and another notice that our private data held by a business has been compromised. It must be a day ending in 'y'.
That's how I felt when the article "Dell warns of data breach, 49 million customers allegedly affected" from Bleeping Computers was shared with me when I logged in.
It feels that way though doesn't it? It also got me thinking a little that it's probably just safer to assume that my data isn't private anymore.
Sigh. A little nihilistic, I know but it does make me think about keeping my data and myself safe in a different light.
Before I get into some practical thoughts on the matter, let's take a quick look at the Dell breach.
First Noticed
It appears that a threat actor name Menelik attempted to sell a Dell Database on the Breach Forums hacking forum on April 28th (as reported by Daily Dark Web).
Dell sent out breach notices on May 8th (EST) and it's not clear that this breach notice is related to that the incident above or if its just coincidental. As far as I can see, Dell has made no statement on the matter.
Severity Of The Risk
The data that is said to be leaked contains
- Physical Addresses
- Customer Names
- Dell hardware and order information, including service tag, item description, date of order, and related warranty information
Dell states they don't believe this to be a "significant risk" however, as Bleeping Computer rightly points out, there are still opportunities that bad operators can monetize this data.
Threat actors could target specific people with physical mailings with phishing links or that contain media (DVDs/thumb drives) to install malware on targets' devices.
"Threat actors could target specific people with physical mailings with phishing links or that contain media (DVDs/thumb drives) to install malware on targets' devices." (Bleeping Computers)
Whilst that might sound farfetched, according to Bleeping Computers, it has been done previously. So dear reader, beware of strangers bearing gifts. Or perhaps, in this case, the postman bearing gifts!
Is the risk a major one to identity, passwords and the like - it could be.
How Do I Protect Myself?
I can hear readers asking that loudly. And not just from a personal or consumer point of view. How can Businesses protect themselves from these types of breaches - or can they?
Let's dig into that in two parts
For Consumers
Password Hygiene
It's important to update your passwords, regularly for online accounts. It's equally as important to avoid reusing passwords across multiple accounts. Certainly complex passwords are slower to hack, but they are hackable given enough time and the right resources.
I can hear some of you though "But how will I remember them!"
Use a Password Manager - A Good One
A password manager is a piece of software designed to securely store and manage your passwords for various online accounts. It works by encrypting your passwords and storing them in a centralized vault, which is protected by a master password or passphrase that only you know. When you need to log in to a website or service, the password manager can automatically fill in your credentials, saving you the hassle of remembering or typing them manually.
A GOOD password will keep you safe. A poor one, won't - so be careful which you choose.
My recommendation is Zoho Vault or Roboform. I use both and have done for years.
Enable Two-Factor Authentication (2FA)
Enable 2FA wherever possible to add an extra layer of security to your accounts. This makes it more difficult for unauthorized users to gain access, even if they have your password.
If you aren't sure what Two Factor Authentication is, I'll do a more indepth article on that soon. Zoho Vault has a wonderful Two Factor Authenticator built right into it though.
Beware of Strangers (or the Postman) bearing Unexpected Gifts
If you should 'unexpectedly' receive a thumbdrive in the mail that you weren't expecting, I would recommend throwing it in the bin. At the very least, call the company - LOOK THE PHONE NUMBER UP don't rely on the one provided on the documentation - and see if they are running a promotion that would involve sending out a datastick.
Even if they say yes - I would ensure that my computer has virus scanning enabled and I would scan the drive as soon as I inserted it.
On second thoughts, I would throw the datastick in the bin.
For Business Owners
Business owners can and should employ all the strategies above. In addition, there's a couple more things you can do.
Data Encryption
Encrypt sensitive data both at rest and in transit to prevent unauthorized access. Implement encryption mechanisms for databases, file servers, and communication channels.
Anything you store, whether in a local datastore or a cloud service should have some encryption on it. If you aren't sure, reach out to your provider for advice.
Employee Training
Conduct regular cybersecurity awareness training for employees and contractors to educate them about common threats like phishing attacks and social engineering tactics.
If you aren't sure what those terms means, get some education around it. A high number of compromises come from what amount to 'simple' social engineering approaches.
Employees should be trained to recognize suspicious emails or links and report them promptly. in addition, strong processes should be in place to ensure that requests to access sensitive or personal data can be verified.
Incident Response Plan
Develop and regularly update an incident response plan outlining procedures for detecting, containing, and responding to security incidents. Test the plan through simulated exercises to ensure its effectiveness in real-world scenarios.
By implementing these practical measures, both consumers and business owners can enhance their data security posture and reduce the risk of falling victim to data breaches or cyberattacks.
0 comments