Could Better Cybersecurity Training Have Prevented These Recent Data Breaches?

Modern enterprises invest significant resources into cybersecurity training these days, with the sector expected to see over 13% in annual growth through the end of the decade. However, as the near-constant stream of headlines announcing a cyber breach attests, security training leaves a lot to be desired.

Most training programs prioritize important pillars of security awareness, such as phishing training for employees, but many unfortunately deliver their lessons in unengaging and ineffective formats. Seminars and lectures by the head of cybersecurity are unlikely to make an impact on business-oriented employees, which is why today's successful programs favor gamification and micro-learning strategies. 

Here are five recent high-profile cyber breaches that serve as cautionary tales, underlining the point that companies need better cybersecurity training.

Kaiser Permanente breach

Kaiser Permanente is the largest nonprofit health plan provider in the United States. On June 3, 2022, the company announced that attackers had breached an employee's email account and potentially exposed 70,000 patients' medical records. Interestingly, this announcement arrived a month after the company first detected the unauthorized access.

News of the breach did not make headlines, because Kaiser had no proof that attackers had released sensitive patient data, such as credit card numbers, social security information, and medical records. The company was lucky this breach did not shut its business down. A similar breach forced startup myNurse to shut its doors earlier this year.

While Kaiser has not responded to requests for more details, security experts have concluded this breach was the result of a phishing campaign that also likely involved credential stuffing. In these attacks, malicious actors impersonate trusted sources and convince employees to enter sensitive information.

Business email compromise remains one of the largest cybersecurity threats currently. It is also a foundational element of security training. The fact that Kaiser's employee fell for a phish despite receiving training indicates the company's programs have a lot of room for improvement.

The Uber breach

While Kaiser was mum on the details of the breach it suffered, Uber's attacker left it no such choice. An 18-year-old hacker proclaimed Uber's ineffective security measures made it easy for them to steal the ridesharing company's data in September 2022.

The attacker gained access through a combination of social engineering and phishing. According to the company, the attacker obtained an Uber contractor's password (probably on a dark web forum) after bombarding them with multi factor authentication (MFA) requests.

MFA requires users to enter their password and confirm a key delivered to another device, such as a phone. The contractor divulged their key to stop the wave of MFA requests. The attacker posed as an internal technology worker and ultimately gained access to Uber's systems, giving them full access to data.

This episode shows how sophisticated and seemingly sound security techniques like MFA are inadequate without proper employee training. In addition to teaching employees what a security method is, companies must also convey many possible breach sequences, so employees can have a chance to recognize them.

Marriott's third data breach in four years

The Marriott organization is seemingly as popular with cybercriminals as it is with consumers. The hotel and resort chain announced its third data breach in four years in July 2022, labeling the latest breach non-sensitive. 

However, security experts and journalists received details such as guest room numbers, corporate credit card numbers, and airline flight crew names.

In this latest incident, the attacker used social engineering to trick an employee into giving them access to Marriott's databases. Although the compromised user did not have access to highly sensitive systems on Marriott's network, the loss of 400 individuals' sensitive information is significant.

While details are scarce, the attacker likely used similar methods to the Uber breach, tricking an employee by posing as someone higher on the corporate ladder. While security training programs often warn employees of this type of attack, the fact that Marriott's employee did not respond properly indicates a lack of training effectiveness.

Spirit Super experiences phishing

Australian insurance company Spirit Super barely made headlines when it announced a data breach in May 2022. Sadly, this incident highlights how numb the world has become to such incidents. Despite proclaiming repeatedly that the company takes cybersecurity "seriously," the insurance company's employees fell for a generic phishing attack.

In a statement, Spirit Super revealed that a broad phishing campaign emailed employees doctored versions of an official company page, tricking them into clicking a malicious link. Once clicked, the employee entered sensitive information, giving attackers access to their inbox and associated data.

As with Uber, attackers bypassed MFA protocols by getting the employee to reveal the authentication key, illustrating how some security training programs are significantly underestimating social engineering attacks.

While the breach was not significant in terms of records obtained, customer data such as bank account numbers and ID information was revealed.

Phishing targets West African banks

Several West African banks were the target of a broad phishing campaign whose impact is still unknown. No bank has officially acknowledged the attackers' attempts or disclosed whether any customer information was compromised.

In this campaign, attackers sent recruitment emails to bank employee inboxes, offering better positions and pay. To make the emails look authentic, the attackers cc'd other genuine email addresses at other banks.

The emails prompted victims to download malware onto their computers, potentially giving attackers access to system files and other sensitive data. 

HP Wolf Security, the firm that revealed these attacks, noted that while phishing isn't a sophisticated attack technique, employees continue to fall for them. Clearly, phishing training needs a revamp.

A disturbing pattern

These attacks show how data breaches are increasing, and their techniques are disturbingly simple. An email and social engineering are all that is seemingly needed for a company to suffer a breach. 

Cybersecurity training needs to keep pace with these methods, and organizations must rethink how they deliver training programs.