No one thought it was possible, a company the size of Chipotle actually got hacked in March! You know that place you might sometimes eat at during your lunch break, yes they got hacked. The techniques used to infiltrate Chipotle’s systems and steal data could happen to anyone. Regardless of their security suite. Between March 24 and April 18 hackers successfully stole an unknown amount of customer credit card data from a majority of Chipotle’s 2,250 restaurants across the United States. The information collected included account numbers and internal verification codes. The data was enough to drain any debit card linked accounts caught in the dragnet attack. This was achieved with a network wide malware that collected customer information as they swiped their cards. Due to Chipotle’s data collection policy there was no way that they could inform customers if their accounts had been captured. Instead Chipotle has placed the responsibility of verifying if there was a compromise to customer accounts, well, in the hand of its customers.
You may be wondering how this all happened, given that information security seems to be a popular topic of conversation in executive meetings. Chipotle was no exception and had a robust information security system installed. So what caused the breach that allowed malware to infect their systems? It can all be traced back to one word: phishing.
So how did an attacker get past the enterprise grade security system and install malware on Chipotle’s network? According to two cybersecurity researchers, this was caused by malware embedded in an email attachment titled: ‘payment overdue’. On February 22, a Chipotle employee received an email from someone named Michael Smith. The body of the email claims a payment was due to them, although no such liability ever existed. The email stated step by step what the receiver had to do in order to see more details and fulfill the payment. The receiver followed each instruction because the email seemed legitimate. The instructions were to open up a file in Microsoft office and accept all the warnings. This allowed malware to infect the computer in Chipotle’s Tulsa, OK office. The malware then spread to their network, and the rest is recent history. The investigation is still ongoing, however this is the latest that has been revealed.
Now dealing with the fallout, Chipotle is having to spend more on its marketing efforts after food safety concerns back in 2015 and 2016. This data breach has had a continued impact on their brand. While their investment in marketing has increased, confidence from investors and analysts have decreased. This breach has caused more financial repercussions than accounted for.
So what was the security failure that allowed this to happen? It was human error.
The Underlying Threat
What happened above is what’s called phishing. As a small business owner, this term is one of the most important to know. Phishing is simply tricking people into providing sensitive information with deceptive tactics. The act of phishing is as old as the internet and is still a very effective means of stealing information. Over the years, phishing became very targeted and has been able to fool even CEOs of major companies. Targeted phishing is calculated, well researched, and precise. The knowledge required for targeted phishing blends together an understanding of markets, business, and human behavior.
Security firm Vanson Bourne states targeted phishing can cost an organization up to $1.6 million per attack. Additionally, 84% of the respondents to Vanson Bource’s survey admit falling victim to a target phishing attack. Chipotle has become another victim of a very planned out and coordinated attack. Phishing is dangerous because a cyber criminal’s end goal is access to data which often happens with an employee or manager providing the credentials to complete the breach. With someone’s credentials in hand a criminal can easily bypass any security setup, because they are logging into the system as a legitimate user.
Lessons for Small Business
Ask any of your employees about what comes to mind when they think about phishing? It will likely be centered on emails with bad graphics and terrible spelling. However in the case of Chipotle and many targeted phishing attacks phishing is far more advanced. Now phishing is a dangerous combination of malware and deceptive presentation.
Above there were a few things that could have prevented the massive breach at Chipotle which include employee education, sensitive data procedures, and email monitoring. Let’s go through each one:
As stated above, the employee not only opened the message, but downloaded the attachment and followed exactly what the email instructed. This could have been prevented with a comprehensive security education program centered on how to recognize a modern phishing email. It is important to remember that education is not a one-time event, it is an active process. However you decide to design your security education program; be sure that it continuously brings employees up to speed on modern forms of phishing and what they can do to be safe.
Sensitive Data Procedures
While reading how the breach happened, did you catch another important security failure? The employee acted alone without verifying with anyone about the account. Additionally the file was downloaded and opened in Microsoft Word with macros disabled, allowing the malware to install itself. All of these events were poor sensitive data procedure management, in addition to a lack of security training. The best defense against targeted phishing attacks is to develop a very specific process or protocol which sensitive data requests must go through in order to release it. Selecting a distribution channel for the sensitive data as well would help identify phishing efforts on email.
Final lesson to draw from this is the need for email monitoring. The thief in this situation was not on any contact lists in the organization and was unknown. Despite not being on a shared contact list, their email still got through and reached its target. If email was being monitored the phishing attempt could have been dealt with much sooner or even outright prevented. Email monitoring provides security benefits, but can also provide valuable behavioral insights about your employees and business. If you’re in an industry where you need to meet some compliance requirements, email monitoring can ensure that is happening as well.
The Chipotle story is far from over and new information will likely be coming out for months about it. However, based on what we do know at this moment they face a problem that every business could face regardless of size. As a small business owner you may be more impacted by a cyber attack than a large corporation. In fact, a recent study indicated that 60% of small companies that suffer a cyber attack of some kind are out of business within 6 months. So it is best to do everything you can to protect yourself and your employees.