In the past year, email account compromises have been steadily increasing according to the July edition of the Beazley Breach Insights Report. In Q2, 2018, 23% of all breaches reported to the BBR (Beazley Breach Response) team were email account compromises.
There were 184 reported cases of email compromises in Q2, 2018. In Q1, 2018 there were 173, and 120 in Q4, 2017. In Q1 of 2017, there were only 45 email breaches. The number of cases of compromised email accounts has increased each quarter since then.
The email account compromises in Q2 2018 were broadly distributed, although the healthcare industry was particularly badly affected. Healthcare email accounts usually contain protected health information, which can be used for identity theft and other types of fraud. The amount of data in email accounts can be considerable. The recent phishing attack on Boys Town National Research Hospital saw the PHI of 105,000 patients compromised.
When hackers gain access an email account, aside from accessing the data stored in it, they can also use the account to conduct further phishing attacks. A hacker could use the email account to send internal email to other employees. Since the emails are sent from within a company they would not be detected by email security solutions.
The hacker identifies a target within the organization, studies the email account holder’s style of writing messages, and crafts messages based around other communications that have already taken place. These internal spear phishing emails are very difficult to detect as malicious and many employees are fooled into taking certain actions such as changing payroll information, making wire transfers, or disclosing sensitive information.
Once access to one account has been gained, it is likely many more email accounts will also be compromised. The key to avoiding this is to prevent access being gained to the first email account. With spam filters in place, the majority of malicious messages are blocked. Employees should also receive training to help them identify phishing emails and two factor authentication will make it harder for hackers to remotely access email accounts.
According to Beazley, users of Office 365 are more prone to email account compromises. Hackers often exploit Microsoft’s PowerShell to login to email accounts for reconnaissance. If a hacker is able to compromise an email account with sufficiently high admin privileges, it would be possible to search all inboxes in the organization. Beazley recommends not allowing third-party applications access to Office 365 as doing can make it easier for attackers to use PowerShell.
Resolving a email data breach is costly because it entails checking all the messages in each compromised account to find out if messages and attachments contain PHI. For a small-scale email breach, the healthcare provider could easily spend $100,000 resolving such an attack. For a larger email breach, the cost could be well over $2 million. The most expensive breaches to resolve are business email compromise attacks.
There was a case study included in the report that showed just how expensive these breaches can be. The breach involved a single employee clicking the link in a phishing email and disclosing login credentials on a realistic-looking website. The hacker then used that account to compromise others in the organization. Investigators found that the hacker accessed 20 email accounts and downloaded 20 mailboxes. The email accounts were searched for PHI using a program, but 350,000 email attachments had to be opened manually and searched. The cost of paying a vendor to do that was $800,000. The company also spent another $150,000 on credit monitoring services and the sending of notifications.
Hacks and malware attacks caused 39% of data breaches across all industry sectors in Q2, 2018 and accidental disclosures were behind 22% of data breaches. In Q2, 2018, hacks and malware attacks fell by 3% compared to Q1, 2018. The reason was determined to be fewer ransomware attacks.
According to the Beazley report, 38% of healthcare data breaches were accidental disclosures – a 29% increase from Q1, 2018. The other causes of healthcare data breaches are as follows: hacking and malware attacks – 26%; insider incidents – 14%; loss of physical PHI – 7%; loss or theft of portable devices – 6%; and social engineering attacks – 4%.