Dow Jones Subject to Data Breach

Dow Jones Subject to Data Breach:

Per The Wall Street Journal, Dow Jones & Co. (Ticker: DJI) are the next name in a long line of victims of cyber attacks and data breaches. According to Reuters, Dow Jones has not found any direct forensic evidence and “had taken steps to stop the breach.” These steps may be too late.

“The data breach potentially accessed payment card information for fewer than 3,500 individuals, said Dow Jones, a unit of News Corp (Ticker: NWSA) and owner of The Wall Street Journal, MarketWatch and Barron’s. The goal of the broader hack seems to have been to obtain contact information, Dow Jones said” (The Wall Street Journal, 2015).

CNBC is reporting that “The system was breached between August 2012 and July 2015.” That is too long of a period for any cyber attack or data breach to be ‘in progress’ without detection, especially when customer payment data is included. ”

“Dow Jones CEO William Lewis said the company found ‘no direct evidence that information was stolen.’ The hackers appeared to target contact information in order to send fraudulent messages to customers, he added” (CNBC & NBC News, 2015). Dow Jones CEO, William Lewis told Fortune (2015) “We understand that this incident was likely part of a broader campaign involving a number of other victim companies.”

Our Analysis

Taking this long to discover an attack or breach is uncalled for. I give Dow Jones & Co. kudos for reporting quickly and seemingly transparently. Ultimately, this should have been avoided. Depending on the attack vector, there are several mitigating measures that could have been applied:

  1. Santization of inputs to prevent SQL Injection or any other code injection
  2. Using “Strong Passwords” or pass phrases and changing them frequently
  3. Implementing a strong vulnerability management and scanning program
    1. This could have prevented any information disclosure vulnerabilities from un-patched software
    2. This could have uncovered the vulnerable asset and prompted someone to fix it
  4. A security awareness program that educates users about passwords, internet security & safety, and phishing/social engineering would have prevented and/or delayed the attack
  5. A good information security policy would have spelled all of this out
  6. An insider threat awareness program could have identified anyone that may have attempted this internally

While there are some vulnerabilities that cannot be remediated and there will always be some risk of an attack of some sorts. By implementing the best practices and a sound security program, most issues are minimized or eliminated. The issue here is that too often, organizations see the minimum security requirements as the end all/be all without thinking about the possible damage to the organization and/or its reputation. Regulatory compliance like PCI or Sarbanes-Oxely (SOX) is great; but it is not holistic for the organization as a whole, merely a small subset. While it may not be the case here, it certainly could be.

Other High Profile Breaches:

Experian (includes T-Mobile)
Scottrade
Trump Hotels
Tesla and Chrysler (unrelated to each other)
Apple App Store
U.S. Office of Personnel Management (OPM)
Kaspersky & FireEye (unrelated to each other)
Excellus Blue Cross Blue Shield
Ashley Madison
Ashley Madison (follow up)

Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

References

The Wall Street Journal
CNBC
Fortune
NBC News


Enter your email address:


Delivered by FeedBurner


Subscribe to our mailing list

* indicates required







About Joe Gray

Joe Gray is a native of East Tennessee. He joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Since leaving the Navy, Joe has lived and worked in St. Louis, MO, Richmond, VA, and Atlanta, GA. His primary experience is in the Information Assurance (IA) and Cyber Security compliance field. He has worked as a Systems Engineer, Information Systems Auditor, Senior UNIX Administrator, Information Systems Security Officer, and Director of IT Security. Joe is in pursuit of his PhD in Information Technology (with focus in Information Assurance and Security). His undergraduate and graduate degrees are also in Information Technology (with focus in Information Assurance and Security) from Capella University, where he graduated Summa Cum Laude for both degrees and completed a Graduate Certificate in Business Intelligence. He also is a part-time (Adjunct) Faculty at Georgia Gwinnett College. Joe holds the (ISC)² CISSP-ISSMP, GIAC GSNA, CompTIA Security+, CompTIA Network+, and CompTIA A+ certifications. In his spare time, Joe enjoys reading news relevant to information security, blogging, bass fishing, and flying his drone in addition to tinkering with and testing scripts in R and Python.