Undercover: The Company that Did Everything Wrong
A comical, yet sad visit to one company that had suffered a data breach (Part 1)
February 11, 2009 — CSO —
The plane landed late afternoon at a small airport in California that looked like it could have been a scene from a 1960s movie. My team and I walked down the metal stairs (no Jetway at this airport) and across the tarmac to the one-and-only baggage claim carousel.
After gathering our luggage, we got into our rented cars and headed to the client site, where the CISO would be waiting for us.
We arrived shortly before 5 p.m., got our badges at the security desk and our contact came out to escort us inside. "Michael" is the CISO at "Client X" and the stress of the last few days has worn heavily on him. He looked like he hadn't been home in a couple of days. His clothes were badly wrinkled, his face sported a two-day-old beard and his eyes were red. He escorted us into his office and updated us on the situation.
"Two days ago," he said, "a number of people at the company, including corporate executives, their secretaries, HR personnel and others, were the victims of a well-orchestrated, well-researched spear phishing attack. The e-mail contained a message talking about a very specific program where Client X had just won a bid with the government. At the end of the message was a link that purported to be on our internal network, though it wasn't. It linked to a site outside the company. Most of the recipients did not open the e-mail because they said it had a strange feel, but unfortunately a few of them did. Of those who opened it, most clicked the attached link. Unfortunately, the information security and information technology functions here are separate and report up two different chains of command. Days passed and no one was aware of what was happening. But then I got a phone call telling me that we were under a full-scale attack."
I asked: "What kind of attack are you facing and how do you know?"
In fact, Michael said, his team at first had no clue as to what was afoot. They lacked the equipment to detect a breach and, even if they did, lacked the human resources to monitor such equipment. He told us his staff consists of one full-time employee and one half-time assistant who is shared with the help desk. The company was informed of the breach by a government agency that was able to watch the contents of one of the company's hard drives fly across an Internet connection that the agency was monitoring.