There's no need to use advanced technologies to hack a large organization -- just hack the staff directory first. More than 21,000 employees of Sprouts, an Arizona-based supermarket chain, had their social security numbers and other personal details exposed, after an employee in the payroll department responded to an email from what looked like a senior executive, asking for a copy of every employee's W-2.
Doug Oleic, at SC Magazine, says that many others have fallen for a similar trick,
Sprouts joins Seagate, Snapchat and several other high profile firms that have been hit with a similar attack. Security executives all pointed out the difficulty of preventing socially engineered phishing attacks...
At first look it would seem that there is no technical solution to such socially engineered data breaches beyond educating staff about such nefarious techniques. Even then, the phishing has become so good that it can be difficult to distinguish it from the real thing.
Here're some views from security experts:
Jonathan Sander, vice president at Lieberman Software:
"You will never stop phishing, nor will you make perfect humans who are never fooled by bad guys in some way. What you can do is say that when systems are asked to give people extraordinary privilege to access sensitive information, those systems should be made smart enough to put a check on that power."
Brad Bussie, director of product management at STEALTHbits Technologies:
"As a best practice, personal identifiable information should never be transmitted in an un-encrypted format. You want to ensure the integrity and confidentiality of the data related to employees at all times."
Bussie warns that Sprouts employees will likely face years of problems from the "Dark Web."
Many companies offer identity theft protection for people that have had their personal data stolen. But they only monitor illegal activities for just one year; Bussie says multi-year vigilance is needed.
"Studies show that the dark web will often light up initially when a company has been compromised, but will then go dormant for a year or more. You will then see a massive resurgence of global hackers buying leaked data under the assumption that a year of scrutiny has expired, and they can get to work capitalizing on the stolen information."
Scammers are constantly developing new techniques to evade financial monitoring services. Which means Sprouts employees will now face many years of potential problems because of this simply executed hack.