This is the second in a series of posts about Cyber Defense that happened to real people in real life, costing very real money.
Peter came into work thinking, “Today is gonna be boring as hell. I can’t wait till my shift ends”. He couldn’t have been more wrong. One terrible password “Policy 2014” would soon turn his insurance agency upside down.
Peter had been working in a 24/7 security centre for a couple of years. He was an IT security specialist and he thought that he’d seen it all. This illusion was shattered when he picked up the phone.
“We have a problem. We are losing clients!” he heard through the receiver. He kept listening, though he had no idea how this applied to him. “I think someone might have broken into our sales system! He calls our clients whose contracts are soon to expire. Just before we have a chance to do so ourselves”, the caller complained. The situation was beginning to look serious, and confusing. The system had recently been updated to boost security.
At first, the staff who drafted offers for sales reps were accused of leaking the information. It had to be them. They had full access to the system. However, after close monitoring of the system, these suspicions proved to be unfounded. A lead was discovered by sheer coincidence: someone tried to log into the internal sales system using the account of an employee who was currently on holidays. The situation required immediate action.
Peter had to identify the exact time and place the system was hacked into through sales reps’ accounts. For this purpose he used a Network Monitoring System of his own design. Unfortunately, it didn’t shed much light on the matter. The login location shifted each time he scanned the system. What is more, these locations were often miles away from each other! Then he started to think like a detective – he decided to lay some bait for the hacker.
He created a fake profile for a client whose contract was about to expire. A sales rep was to call him in exactly five days. However, Peter entered his own phone number in the client’s profile details. It only took three days for the hacker to bite. After a two-minute phone call, everything became clear enough. It turned out that the mysterious hackers were in fact employees of a distributor with whom Peter’s company had entered into a contract for the sale of its insurance policies. These suspicions were only made more certain when it was discovered that the company had recently recorded an increase in its sales of insurance products through the distributor. The investigation revealed that an employee from the IT department had facilitated the hacking. He confessed, and revealed that temporary passwords to the sales system were always the same (“Policy 2014”) and that hardly anyone ever changed them – this was enough to obtain customer account data.
Finally, the situation was brought under control. The sales system was secured and sales specialists were properly trained in data and password protection techniques. However, the company’s image suffered. Although much effort was made to keep the case confidential, many clients grew concerned about the safety of their personal data. Nevertheless, it was the sales personnel who suffered the most as their commissions dwindled.
For the latest on business security, be sure to visit F-Secure’s Business Insider.
This is a guest post from an F-Secure fellow. Hi, my name is Matti Aksela…
May 22, 2017
Last week’s WannaCry outbreak caused havoc in many parts of the world before subsiding thanks…
May 18, 2017