“End-users, sysadmins, and developers lead the pack when it comes to mucking things up, though pretty much all of us are guilty.” These are simple, yet telling, words from the 2014 Data Breach Investigations Report released this week by Verizon.
The report statistics indicate:
The Senate Committee on Commerce, Science, and Transportation today released its analysis of the 2013 Target Data Breach, using the “intrusion kill chain” framework from Lockheed Martin as its analytical tool. In short, the analysis shows that although Target likely failed at multiple steps along the chain to stop the breach, the opening salvo by the attackers was waged on a Target vendor, Fazio Mechanical Services.
Although details are not reported, the report does suggest that the attacker may “have sent malware-laden emails to Fazio at least two months before the Target data breach began.” Target’s supplier portal and facilities management pages were apparently viewable on the Internet, and files from the sites “allowed the attacker to map Target’s internal network prior to the breach.” Unfortunately, Fazio was also using a free version of an anti-malware product, which did not provide real-time protection and was intended only for individual consumer use.
First, kudos to AHIMA for helping raise information governance awareness by sponsoring a Twitter chat on February 20, “Global Information Governance Day.” As an information governance professional, I am encouraged that industry associations like AHIMA are picking up the reins to drive both the visibility and importance of information governance in the enterprise.
As Lynne…
