When Target's data breach hit the front pages, many small-business owners saw it as evidence that hackers only go after big business. But the latest – and largest – data breach, which stole 1.2 billion logins and passwords, shows how hackers are adapting their techniques to target small and large businesses simultaneously.
Hold Security reports how hackers were able to leverage complex attacks against businesses of all sizes. The attack breaks down as follows:
- 420,000 compromised websites.
- 4.5 billion total stolen credentials.
- 1.2 billion unique credentials stolen.
Breached companies include industry leaders, small companies, and personal websites.
Let’s take a more in-depth look at how the attack unfolded and what your clients may be able to learn from the hit.
IT Consultant Nightmare: The First Mega Breach to Target Small Businesses
Last month, we ran a story explaining how hackers search for SQL injection vulnerabilities and attack any website that has these weaknesses (see, "Hotel Hippo Closure Would Be a Wakeup Call for Small Businesses (If Anyone Had Heard of It)" for the full write-up).
If a small business’s website has SQL vulnerabilities, it could be breached. Hackers don't care where the stolen data comes from – it’s all valuable information to them. And that's why the mega-breach targeted large and small businesses alike.
Cyber Attack Clinic: How to Steal a Billion Credentials
According to a BBC article, the cyber criminals behind the latest data breach were able to steal 1.2 billion unique login credentials by using a variety of techniques against small and large businesses. These attacks included…
- Using other stolen data from previous data breaches to hack into email and social media.
- Using compromised user email / social media accounts to launch malware attacks on users and their online connections.
- Building a botnet that identified websites vulnerable to SQL injections.
Most of the damage that was done came from the hackers’ botnet. In essence, the botnet automates the hackers' work. It checks every website an infected computer visited to see if it’s vulnerable. This is how the mega-breach hit so many personal and small business websites (affecting 420,000 total).
Thanks to a variety of attacks, the hackers were able to steal the largest number of credentials in history.
Why Hackers Might Be More Inclined to Attack Small Businesses
In our article, "Re: Your Recent Spear Phishing Attack," we warned IT consultants about the growth in spear phishing attacks that target small businesses. We could see a similar explosion in the number of SQL injection attacks launched against small- and medium-sized businesses, too.
Though this may seem clear as day to you, getting your clients to fully appreciate their risks is another story. How can you ensure they understand their cyber vulnerabilities? Try to explain that…
- Hackers are constantly changing and improving their attacks. This botnet-based attack shows how cyber criminals are using new, more advanced techniques. It's easier now for them to locate vulnerable websites.
- Social media exposes small businesses to customized attacks. Phishing attacks have grown more sophisticated in the last few years. Cyber criminals customize their attacks in such away that spear phishing emails closely resemble business emails that people receive on a daily basis. (For a recent example, see, "Hackety-Hack, Don't Click That (Even Savvy Bitcoin Bidders Are Getting Hacked.")
- Small businesses now have more data to protect than they did five years ago. Because your clients have more data and might be linked to other business's data, they have more cyber liability.
- Interconnectivity creates more risk. If your clients have multiple third-party contractors and businesses working for them, they can be hacked when their contractors are targeted.
Because small business attacks could increase in the near future, now is a great time to educate your clients about data breach response, recovery, and prevention. Use this news story to illustrate how small businesses face cyber risks every day.
Remember that as your clients’ risk increases, so does your own. If a botnet flags your client’s website for SQL injection, you could be sued for not doing more to prevent the breach.
That’s why many IT businesses invest in technology E&O Insurance, which covers legal expenses when a client sues over data breaches and other IT issues. To get an idea about how much data breach insurance costs for IT professionals, see our free insurance cost estimates.