Incident of the Week: Impact Mobile Home Communities Breached
One of the largest owner-operators of manufactured housing communities in North America experienced a data privacy breach on July 3, 2019. Although Impact Communities isn’t aware of any misuse of the data, they have invested in employee training and security technology to prevent future breaches.
After suspecting unauthorized email access of one of their employees, Impact Communities hired a computer forensic firm to get to the bottom of the breach. It was determined that multiple employee email accounts were compromised between July 1, 2019 and July 31, 2019. Strategic details of the attack have not been released, nor has the number victims.
See Related: Attitudes About Security Need to Change
Due to the nature of the breach, it was impossible to determine which confidential and sensitive information fell into the hands of the perpetrator. Therefore, Impact Communities was tasked with the difficult job of combing through every email during the affected time period to determine the entirety of the breach and identify those affected.
On February 7, 2020, Impact Communities began tracking down and providing notice to those whose information was vulnerable during the attack. Such information included but was not limited to name, date of birth, Social Security number, driver’s license number, and credit or debit card number. Both employees and clients were affected.
Via their website, Impact Communities stresses the importance of safety and care their clients receive. As an extension of that, despite any evidence of the leaked data being leveraged for nefarious purposes, Impact Communities is offering complimentary credit monitoring services to those who were affected by the breach. They have also reported the incident to applicable state regulators and attorney generals.
The state of phishing today
A Vailmail fraud report from July 2019 estimates that more than 3 billion phishing attempts are made every day. Phishing scams usually work by enticing an email recipient to open an included link. That link releases nearly invisible malware into the system that combs for confidential data. However, phishing schemes are increasingly sophisticated and are easily disguised as every-day business transactions. The number of phishers has increased as well. In fact, technical know-how is no longer a barrier to entry for scammers. Phishing kits can be purchased on the dark web.
How to prevent phishing in your organization
While Mobile Home Communities didn’t release information on the exact type of training their employees are receiving in order to resist future phishing attacks, common techniques include creating, educating on, and following best practices; deploying anti-phishing pen tests; and regularly retesting.
Train employees to recognize telltale signs of phishing. Those signs include long, jumbled, and/or strange URLs and a lack of personalization. Additionally, as with phone scams, encourage employees to visit the website the email claims to originate directly, as opposed to clicking on the provided link. It is important to always use caution when opening an attachment or link, even if it appears to be from a trusted source. Phishers can guess or do research on vendor partners and associates in an attempt to appear like a trusted source.
Anti-phishing pen tests
Purchasing or hiring pen testing services takes the guesswork out of how to vet your employees for phishing susceptibility. These tests are customized to the size and type of business. They also include the most current phishing strategies and tactics. Even the most aware employee falls victim to phishing, so tests provide both a mirror into company weaknesses and a reality check to those who fail. It also helps to test frequently in order to ensure that employees remain diligent and to stay on top of new phishing strategies.
Responding to a breach
Phishing is both preventable and inevitable. Impact Communities exemplifies the correct steps to take after a breach, including hiring the big guns to source and secure the breach and offering free credit monitoring and peace of mind to their clients. Security helps prevent breaches. Transparency helps heal them.