[BreachExchange] The frustrating aftermath of a data breach at American Type Culture Collection

[Audrey McNeil]

http://www.csoonline.com/article/3075479/security/the-frustrating-aftermath-of-a-data-breach-at-american-type-culture-collection.html

In April, American Type Culture Collection (ATCC) was targeted by a
Phishing attack seeking W-2 records. The attempt was successful, leaving
employees stressed about their finances and the long-term impact this
breach could have on them.

But it's the actions by the company after the incident that's left some
employees feeling as if ATCC's leadership stopped caring.

ATCC does business globally. If someone does any type of biological science
or scientific research, the odds are good they've interacted with ATCC in
some way– including governments, academia, and private industry. Lately,
ATCC has been in the news due to their lung cancer research and research
related to the Zika Virus.

How to respond to ransomware threats

A source familiar with April's data breach shared internal memos and
communications related to the breach's aftermath with Salted Hash.

The reasoning behind the disclosure, according to the source, who asked to
remain anonymous, is that unlike other major firms that have had their W-2
records compromised by a targeted Phishing attack, ATCC managed to avoid
the limelight.

The source felt compelled to share the documents because "all the clients
we serve should be aware [of the data breach] and question how we keep
their data safe."

The memos sent internally are outlined below. However, along with the
communications, there is another aspect to this story – the human one.
While the company was victimized by a criminal seeking W-2 records, so too
were the employees.

At least one staffer at ATCC is still waiting on a tax return filed in
March, and they had to jump through several hoops with the IRS to confirm
their identity. Other employees affected by the breach are said to have had
credit taken out under their names.

In addition, perception is a strong motivator when it comes to workplace
morale. The way this data breach was handled, the source told Salted Hash,
has left some staffers feeling left out in the cold, as they can no longer
get questions answered. In short, they feel ignored and forgotten. That's a
painful feeling considering it's only been just over a month since the
breach occurred.

Salted Hash reached out to ATCC for comment, asking a number of questions
related to awareness training, the protection offerings, and the incident
itself. There was no response. Should that change, this story will be
updated.

April 11 (Monday)

Company sends the first of several notices to employees. The IRS has
informed ATCC that W-2 data for all employees has been compromised. In
response, ATCC will send the IRS a list of staff SSNs in order to flag the
individual as a victim of ID theft. The flag is supposed to prevent
fraudulent returns.

ATCC says that to their knowledge "at this time, the unauthorized access of
W-2 information by identity thieves occurred though a fraudulent email
requesting internal transfer of the information" to Ralph Koch, ATCC's CFO.

The notice says that the federal government is investigating the incident.

April 12 (Tuesday)

A follow-up communication explains that the company was contacted by the
IRS the previous Friday (April 8). A weekend investigation, which ended the
morning of April 12, determined the root cause of the data breach to be a
Phishing email.

"What happened is a fairly common social engineering attack where someone
posing as me [Ralph Koch, CFO] asked for W-2 information. Both HR and
Finance personnel were targeted in recent weeks. Despite awareness training
and reminder emails, we nonetheless failed to detect the attack," the
notice explains.

The notice goes on to reference the fact that many employees have been
contacted by tax authorities in their state indicating irregularities with
their returns. In addition, arrangements are being made in order to provide
credit protection services, if they're interested.

April 15 (Friday)

A third notice from the ATCC CFO informs employees of a SharePoint portal
hosting a FAQ about the Phishing attack. Staff are also told about a
one-year offer for ID theft protection, provided by IDShield.

"We want to assure you that the cause of this issue has been identified and
we are taking steps to prevent this type of intrusion from happening again.
Specifically, we are looking at ways to strengthen our internal data
security protocols and elevate our IT Security Awareness training."

The notice also offers security tips.

It advises employees to challenge and confirm requests for sensitive
company data via email, no matter who is making the request. Employees
should call or meet with the requestor face-to-face to confirm.

Also, requests for such information should be verified by at least two
parties. Moreover, they should engage IT Security before the data is
released.

April 22 (Friday)

A forth notice about the incident informs staff that there is a delay in
IDShield registrations. It says more than 200 employees attended optional
data incident meetings that week.

April 26 (Tuesday)

The IDShield registration page, which was supposed to have been operational
the previous Friday, is still not available.

The delay is blamed on glitches in the registration process, and missing
customization. There is no confirmed time for resolution.

As a result, employees are offered a $120 payroll credit, which is said to
be the equivalent of one year of employee-only ID theft protection.

Insufficient response:

When asked about the data incident meetings, the source said the general
feeling was that the meetings were rushed. They were 15 minutes in length,
and included a short Q&A with the CFO. The representative conducting the
meeting was actually from Legal Shield and could not answer specific
questions about the IDShield product.

"They more or less wanted to shuffle us in and out, and it was – to be
honest – not very helpful," the source explained.

Prior to the data breach, ATCC employees received yearly security awareness
training, which is an interactive program that takes about thirty minutes
to an hour to complete. A portion of the training covers different types of
scams that can arise in the workplace, and there is additional training for
those who work with government contracts.

Since the breach was disclosed internally, the source said, there have been
no changes to the awareness programs, and no new additional training
provided. If such changes have been implemented, not everyone is aware of
them.

When the ID theft protection glitches prevented enrollment, employees were
offered a $120 credit as an alternative, should they chose to purchase
their own protection. The problem is, this credit doesn't cover most of the
known services on the market, which run $20 per month on average.

"The ID Shield credit service they recommended covers one of three credit
bureaus, which I did not feel was adequate," a person familiar with the
offer explained.

"Let's face it; the one they wanted us to sign up for is the cheapest
option on the market with sub-optimal customer reviews."

Having read previous Salted Hash articles related to BEC scams and W-2
Phishing attacks, the source said they felt ATCC's response was
insufficient for a number of reasons.

"There was a lack of transparency, timeliness, and follow through," the
source explained.

"The CFO is no longer fielding questions on the matter. He has made
comments such as our information will become less valuable in a year and
this sort of scam happens all the time which shows a general lack of the
severity of the issue. The people who have been affected are still waiting
for tax returns, some of which were relying upon for large financial
payments, such as mortgages. Some now have the added stress of restoring
their credit."

Lessons learned:

Again, Salted Hash reached out to ATCC for comment, including emails to
executives directly. However, there has been no response from the company.

The assumption is that ATCC had a BCDR plan already established prior to
the Phishing attack.

If that assumption is true, then the lesson here is that most plans fall
apart the moment they're actually needed. Organizations have to try and
plan for this, and have alternative provisions to deal with shortfalls and
hiccups. Such problems can be resolved by ensuring that BCDR plans are
updated regularly, and fully address actual risk scenarios – such as
Phishing and Social Engineering.

The notion that employees feel there was a lack of follow though on the
incident is a painful reminder that BCDR plans have to include the people
that make the organization function.

They're humans, with real human concerns, that don't go away with the
passing of time. Yes, the stolen information will become less valuable over
time, but that doesn't offset the here and now, and such facts don't make
the issue go away.

In this case, clearly there was a breakdown somewhere. Just over a month
later, employees feel as if they've been forgotten and the solutions
offered didn't really address their concerns.

The truth? Security is hard, but not impossible. Balancing the needs of
people as well as the needs of the company can complicate things, but there
should always be a path available to help both sides move forward.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160527/d813ff23/attachment.html>