Plus, more newsbytes of the week including facial recognition tech at Rite Aid and a Netflix scam that wants your credit card numbers
IBM published its annual study on data breaches, which looks at causes, costs of damages, and trends on a global scale. This year’s report found that data breaches cost the victimized organization an average of $3.86M in damages. Healthcare was found to be the industry with the most expensive data breaches, costing victims an average of $7.13M, and the U.S. proved to have the highest costs of damages of any country, paying an average of $8.64M per data breach. “It’s true that in cyberspace, the best way to make quick money is trafficking information – data breaches, ransomware, you name it,” commented Avast Security Evangelist Luis Corrons. “It has become a popular saying that ‘data is the new gold.’”
The study found that 52% of data breaches in the past year were caused by malicious attacks, and a quarter of those were launched as nation state hacker campaigns. Compromised credentials and cloud misconfiguration each caused 19% of all data breaches in the last year. The report also calculated how much victims could save with proper defenses in place, concluding that fully deployed cybersecurity automation could save an organization an average of $3.58M per breach, and an incident response team that regular tests its response plan could save victims $2M per breach. “Companies of all shapes and sizes are potential victims,” Corrons said. “The main difference here is how prepared they are to react and minimize the damage. All companies should imagine a situation where they have been breached and figure out how they can protect their data in the best way. Focusing all budget and efforts into just protecting the perimeter and endpoints could be a fatal mistake.” Learn more in the full study – IBM Security Cost of Data Breach Report 2020.
Rite Aid cancels facial rec tech in 200 stores
In the wake of a recent Reuters investigation into Rite Aid and its practice of using facial recognition cameras in 200 of its stores, the American drug store chain announced it has canceled the facial rec program and that all the cameras have been turned off. Rite Aid largely deployed the technology in lower-income, non-white neighborhoods, as Reuters found that stores in impoverished areas were almost 3 times as likely to have facial recognition cameras as those in wealthier areas. On shutting down the program after 8 years, a company spokesman commented, “This decision was in part based on a larger industry conversation. Other large technology companies seem to be scaling back or rethinking their efforts around facial recognition given increasing uncertainty around the technology’s utility.”
NIST finds face masks thwart facial rec tech
The U.S. National Institute of Standards and Technology (NIST) published a report this week which the agency says is the first in a planned series of facial recognition tests where the faces are partially covered by protective masks. The study found that even the best among 89 commercial facial recognition algorithms had problems matching photos of people with digitally applied face masks to photos of those same people without masks, turning up error rates between 5% and 50%. Researchers learned that the facial recognition tech was less accurate when noses on the faces were more covered. They also learned that mask color matters, as black masks degraded recognition performance more than light blue masks did. The next round in this test series is planned for later this summer.
This week’s stat
1 million
That's the number of Ledger cryptocurrency wallet owners whose contact details have been exposed by a recent data breach triggered by phishing emails.
Netflix scam directs users to phony site
A new Netflix-themed phishing scam is showing up in the inboxes of users of the streaming service, claiming to be from Netflix Support and falsely informing the targeted victims that there is a problem with their account. The scam tries to alarm users into immediate socially engineered action by telling them that their accounts will be canceled within 24 hours if they don’t update their personal information. A link in the email sends the victim to a functioning CAPTCHA page, which could possibly fool users into thinking the scam in legitimate. After the CAPTCHA page, the victim is taken to a Netflix clone site to input their personal information, including credit card number. Netflix users are advised to be aware. More at BGR.
Avon data breach leaks 19M records
International cosmetics giant Avon suffered a data breach in June due to a misconfigured cloud server that publicly exposed 19 million records including personal information and technical logs. The information comprised 7 GB of data and seems to have been exposed for 9 days before it was discovered on June 12. The data contained info on customers and employees alike, containing phone numbers, birth dates, email and home addresses, GPS coordinates, and more. The technical logs in the data could make Avon itself vulnerable to damaging actions from bad actors, such as ransomware attacks that paralyze the company’s payment infrastructure.
This week’s ‘must-read’ on The Avast Blog
Emotet remains an active threat: The notorious banking Trojan has cropped up again, and this time, there's more to the story. Read up on what you can do to protect yourself.