Verizon Enterprise Data Hit, Hackers Seek Big Payday
Verizon Enterprise Solutions is the latest company to fall victim to a data breach where cyber-criminals are targeting potentially lucrative corporate information, rather than details about consumers.
10 Stupid Moves That Threaten Your Company's Security
(Click image for larger view and slideshow.)
Verizon Enterprise Solutions, which is a division of Verizon that helps Fortune 500 firms respond to data breaches, became itself the latest corporate victim of a security breach. The cyberthief is now attempting to sell information gleaned off of the company's enterprise client portal.
Verizon's security breach is just another example of cyber-criminals pilfering potentially lucrative corporate information instead of going after consumer data.
In this particular case Verizon Enterprise Solutions had contact data for an estimated 1.5 million of its customers taken. The cyberthief is looking to sell the information for $100,000 in its entirety, or in sets of 100,000 records for $10,000 each, according to a Krebs on Security report.
The security breach did not extend to Verizon's customer base of consumers, the company told InformationWeek.
(Image: Mikko Lemola/iStockphoto)
"Verizon Enterprise Solutions recently discovered and fixed a security vulnerability on our enterprise client portal. Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible. The impacted customers are currently being notified," Janet Brumfield, a Verizon Enterprise spokeswoman, said to InformationWeek.
Krebs notes in his report that any buyer of the Verizon Enterprise contact data will likely use it to for phishing or other types of attacks. By coaxing unsuspecting employees to inadvertently provide access to their computer and network in a phishing scheme, the buyer of the Verizon data can leverage their investment and attempt to pilfer data from these customers.
Maxim Weinstein, a security advisor for Sophos, told InformationWeek that attacks on enterprises are on the rise.
"There definitely has been an increase in attacks targeting enterprises over the last couple years. And it is not just large enterprises, but small and midsize businesses, as well," Weinstein said. "One scam we've been seeing a lot is a "spear phishing" (targeted fake email) attack against someone in finance or HR. It looks to be a very believable email from a trusted senior executive, likely one who is traveling, requesting an urgent transfer of money or data. Of course, the transfer is really going to the attackers."
Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!
He added that with many of these attacks this type of scam takes advantage of a combination of human nature, or social engineering, insecure processes like not requiring confirmation in person or via a trusted channel, and gaps in technical security measures, such as data loss prevention tools.
"Targeted attacks are far more likely to be aimed at companies, like the Verizon case, or government agencies, as these are likely to have some combination of high value data, large bank accounts, and political or 'bragging rights' value," Weinstein said.
Wade Williamson, director of threat analytics at Vectra Networks, noted that enterprises also tend to be much more valuable locations for a criminal to go hunting, because they naturally are likely have a centralized tranche of data. "For instance, if you want to steal payment card data, it obviously makes sense to steal by the thousands from a retailer, as opposed to one at a time from individuals," he noted.
Morey Haber, vice president of technology at BeyondTrust explained there are two primary objectives for cyber-criminals to target enterprises. One is to extract information to monetize through reselling the information, and the other is to disrupt or embarrass the company in order to impact its business.
[Editor's note: This article was updated to add the comments of Wade Williamson and Morey Haber.]
Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.