Verizon Enterprise Solutions, which is a division of Verizon that helps Fortune 500 firms respond to data breaches, became itself the latest corporate victim of a security breach. The cyberthief is now attempting to sell information gleaned off of the company's enterprise client portal.
Verizon's security breach is just another example of cyber-criminals pilfering potentially lucrative corporate information instead of going after consumer data.
In this particular case Verizon Enterprise Solutions had contact data for an estimated 1.5 million of its customers taken. The cyberthief is looking to sell the information for $100,000 in its entirety, or in sets of 100,000 records for $10,000 each, according to a Krebs on Security report.
The security breach did not extend to Verizon's customer base of consumers, the company told InformationWeek.
"Verizon Enterprise Solutions recently discovered and fixed a security vulnerability on our enterprise client portal. Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible. The impacted customers are currently being notified," Janet Brumfield, a Verizon Enterprise spokeswoman, said to InformationWeek.
Krebs notes in his report that any buyer of the Verizon Enterprise contact data will likely use it to for phishing or other types of attacks. By coaxing unsuspecting employees to inadvertently provide access to their computer and network in a phishing scheme, the buyer of the Verizon data can leverage their investment and attempt to pilfer data from these customers.
Maxim Weinstein, a security advisor for Sophos, told InformationWeek that attacks on enterprises are on the rise.
"There definitely has been an increase in attacks targeting enterprises over the last couple years. And it is not just large enterprises, but small and midsize businesses, as well," Weinstein said. "One scam we've been seeing a lot is a "spear phishing" (targeted fake email) attack against someone in finance or HR. It looks to be a very believable email from a trusted senior executive, likely one who is traveling, requesting an urgent transfer of money or data. Of course, the transfer is really going to the attackers."
He added that with many of these attacks this type of scam takes advantage of a combination of human nature, or social engineering, insecure processes like not requiring confirmation in person or via a trusted channel, and gaps in technical security measures, such as data loss prevention tools.
"Targeted attacks are far more likely to be aimed at companies, like the Verizon case, or government agencies, as these are likely to have some combination of high value data, large bank accounts, and political or 'bragging rights' value," Weinstein said.
Wade Williamson, director of threat analytics at Vectra Networks, noted that enterprises also tend to be much more valuable locations for a criminal to go hunting, because they naturally are likely have a centralized tranche of data. "For instance, if you want to steal payment card data, it obviously makes sense to steal by the thousands from a retailer, as opposed to one at a time from individuals," he noted.
Morey Haber, vice president of technology at BeyondTrust explained there are two primary objectives for cyber-criminals to target enterprises. One is to extract information to monetize through reselling the information, and the other is to disrupt or embarrass the company in order to impact its business.
[Editor's note: This article was updated to add the comments of Wade Williamson and Morey Haber.]