Cybersleuthing: A peek at Oregon's new security breach database

Oregon’s rules for data breach reporting changed a year ago to require businesses and government agencies to notify the Attorney General's office when a breach occurred impacting more than 250 Oregonians. The breaches are then logged into a public database, which lists suspected breach dates and a copy of the notice sent to consumers explaining what happened.

Sixty two companies have filed reports as of Nov. 28.

If that number seems low it’s partially because the reporting requirements don’t include intellectual property theft or cases involving ransomware, says cybersecurity consultant, Charlie Kawasaki, CTO of communications systems manufacturer PacStar and an entrepreneur in residence for computer science development firm Galios.

“But it also may be that organizations aren’t aware of the reporting requirements yet,” Kawasaki says. 

To learn more about different types of breaches — and what businesses can do to prevent them — Oregon Business asked Kawasaki and Isaac Potoczny-Jones, CEO of Tozny, a Portland data encryption company, to talk us through three breaches listed on the new state data base. 

National Wholesale, 14,281 customers affected

The breach involved harmful code inserted into the company website. 

In this case, hackers take their own code and attempt to get the website to recognize it — often by mimicking a login that the website can’t view and executes. At that point, hackers can record keystrokes and learn employee logins, gaining access to the company server and data.

“Once you can get a website to accept your code, you own it,” Kawasaki says.

Unfortunately, that’s something almost anyone with access to Google could attempt, he adds.

“If you want to learn how to hack, there’s all these instructions,” he says.

As with most data breaches, this too is hard to detect.

“Prevention is actually by far the cheapest way to mitigate,” Potoczny-Jones says.

Hiring good programmers, keeping software up to date — yes, that includes Adobe — and hiring security professionals to preventatively check systems is the best way for businesses to stay secure.

"Once you put your website up anyone in the entire world can access it,” Kawasaki says. “It needs to be engineered in a way that’s very, very secured so that people can't break into to it.”

Kaiser Permanente 

The Kaiser breach involved a cache problem. Web browsers typically store preloaded pages of sites for a quicker response. But that creates a problem when personal information is stored in the cache.

In Kaiser’s case, users health records were likely accidentally cached after a site update. Kawasaki noted the breach lasted only a few hours and occurred in the middle of the night.

“What happened in this case is Kaiser Permanente either made an error in the way they set up their cache or maybe have the network set up not to cache and they missed one,” he says. “So they ended up with customer pages fully accessible in the cache. It’s easy to have a typo and all of a sudden you have a breach.”

Because of the quick resolution, Kawasaki suspects KP found the breach themselves, likely saving any consumer data from exposure. 

Puppet Lab 

According to the state data base, a Puppet employee was a vicitim of a phishing email. These are common and difficult to guard against, Kawasaki notes.

Kawasaki himself, for example, recently received an email from the CEO of a company he consults with — or at least it was designed to look that way.

“It was really well crafted,” he says, down to masking the email address with the CEO’s real email and including the “Sent from my iPhone” signature at the bottom. “It’s completely understandable how someone would fall for that.”

Potoczny-Jones received a possible phishing email just an hour before our meeting. The email asked for participation in a survey. It could have been real, he says, but there were a few indicators that signaled otherwise. Different sender email addresses and link domains, for example.

“Even though it doesn’t take a hacker to do, [phishing emails] are some of the most powerful,” Potoczny-Jones says. “Because humans are the weakest link.”

These types of emails often ask a user to click a link or fill out personal information on a secondary site. In doing so, hackers gather data and are often able to download malicious software onto the user’s computer, thus gaining access.

***

Oregon’s breach database does not register instances of ransomware. Ransomware is a type of malicious software that prevents access to a computer system until a payment is made. The code is often crafted to mimic the Department of Justice. (It should be noted the DOJ does not take over computer systems seeking payment.) 

Kawasaki and Potoczny-Jones say this type of problem is growing but is rarely reported for the same reasons people are unlikely to report a crime: victims fear they did something nefarious to deserve targeting.

This form of attack occurs on many virtual platforms. The San Francisco train system fell victim on Nov. 26, one of the busiest shopping days of the year. Ransomware shut down the ticketing system, forcing the agency to let passengers ride for free until they were able to resolve the problem.

What’s the next big threat on the horizon? Potoczny-Jones says the Internet of Things is causing a new target for hackers. The more connected we become, the more pathways there are for hackers to follow.

The takeaway?

According to a Mandiant study, nearly 70% of companies that are attacked don’t know until someone else tells them. Most of those are small businesses.

Many small enterprises think they don't have enough users or sensitive informtion to warrant being targeted by hackers, Potoczny-Jones says.

"But you do have a bank account and your employees’ social security numbers somewhere. Most people are handling sensitive information,” he says. “I think too often people convince themselves they aren't an interesting target. If it’s worth their time to attack, it’s worth your time to try and protect yourself.”