Cyber-extortion, where criminals gain control of company assets through the Internet, isn’t a new phenomenon. For more than a decade, perpetrators have been using ransomware – malware that restricts access to infected machines until the owners pay a ransom – to extort money from businesses.
However, the practice of cyber-extortion has taken some grisly new turns, most recently in the data breach of British telecommunications firm TalkTalk. Hackers breached the TalkTalk website and stole millions of customer details, then demanded ransom in exchange for not releasing or using the information.
With ransomware, companies usually get infected when an employee or other user on the company network visits an infected site and triggers a background download to the PC. From there, the ransomware propagates to the network. This approach is disconcerting enough, especially given that in some cases, the sites spoof or redirect from legitimate websites, and/or the payload (the malware) is digitally signed to fool security software.
However, in TalkTalk’s case, no spoofed or compromised website visits were necessary. The criminals simply penetrated the firm’s website defenses, stole its data and demanded money. Of course, data breaches are nothing new, but TalkTalk was not a retail giant or a bank with millions of valuable credit card numbers. It was a midsized telecommunications firm, and yet it was attractive enough to roll out this sophisticated scheme.
Ransomware is already serious business. One of the most damaging ransomware variants, Cryptowall, has netted $325 million for attackers. It was only a matter of time until hackers realized they could exploit stolen data in the same way, but it broadens the breadth and depth of exposure for every company that has data to protect.
After this event, the question for business owners becomes, “What did TalkTalk do to attract this attention?” The answer is simple. The firm was careless in its attitude towards cybersecurity.
TalkTalk had already been breached at least twice this year. In February, TalkTalk warned its customers about scammers who had stolen thousands of account numbers and names from the company’s computers. In August, the company revealed its mobile sales site had been hit by a “sophisticated and coordinated cyberattack” in which personal data was breached by criminals.
Making matters worse, TalkTalk has admitted it was storing some of its personal information in “plaintext,” meaning the data wasn’t encrypted. TalkTalk was a ripe plumb waiting to be picked, and someone did just that. The company’s misfortune stands as a reminder to any firm that takes a lax attitude towards security, thinking, “It won’t happen to us.”