Dow Jones Subject to Data Breach:
Per The Wall Street Journal, Dow Jones & Co. (Ticker: DJI) are the next name in a long line of victims of cyber attacks and data breaches. According to Reuters, Dow Jones has not found any direct forensic evidence and “had taken steps to stop the breach.” These steps may be too late.
“The data breach potentially accessed payment card information for fewer than 3,500 individuals, said Dow Jones, a unit of News Corp (Ticker: NWSA) and owner of The Wall Street Journal, MarketWatch and Barron’s. The goal of the broader hack seems to have been to obtain contact information, Dow Jones said” (The Wall Street Journal, 2015).
CNBC is reporting that “The system was breached between August 2012 and July 2015.” That is too long of a period for any cyber attack or data breach to be ‘in progress’ without detection, especially when customer payment data is included. ”
“Dow Jones CEO William Lewis said the company found ‘no direct evidence that information was stolen.’ The hackers appeared to target contact information in order to send fraudulent messages to customers, he added” (CNBC & NBC News, 2015). Dow Jones CEO, William Lewis told Fortune (2015) “We understand that this incident was likely part of a broader campaign involving a number of other victim companies.”
Taking this long to discover an attack or breach is uncalled for. I give Dow Jones & Co. kudos for reporting quickly and seemingly transparently. Ultimately, this should have been avoided. Depending on the attack vector, there are several mitigating measures that could have been applied:
- Santization of inputs to prevent SQL Injection or any other code injection
- Using “Strong Passwords” or pass phrases and changing them frequently
- Implementing a strong vulnerability management and scanning program
- This could have prevented any information disclosure vulnerabilities from un-patched software
- This could have uncovered the vulnerable asset and prompted someone to fix it
- A security awareness program that educates users about passwords, internet security & safety, and phishing/social engineering would have prevented and/or delayed the attack
- A good information security policy would have spelled all of this out
- An insider threat awareness program could have identified anyone that may have attempted this internally
While there are some vulnerabilities that cannot be remediated and there will always be some risk of an attack of some sorts. By implementing the best practices and a sound security program, most issues are minimized or eliminated. The issue here is that too often, organizations see the minimum security requirements as the end all/be all without thinking about the possible damage to the organization and/or its reputation. Regulatory compliance like PCI or Sarbanes-Oxely (SOX) is great; but it is not holistic for the organization as a whole, merely a small subset. While it may not be the case here, it certainly could be.
Other High Profile Breaches:
Experian (includes T-Mobile)
Tesla and Chrysler (unrelated to each other)
Apple App Store
U.S. Office of Personnel Management (OPM)
Kaspersky & FireEye (unrelated to each other)
Excellus Blue Cross Blue Shield
Ashley Madison (follow up)
Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.
Be sure to subscribe to this blog and to our Podcast.