5 Takeaways from the Mailchimp Data Breach
Email and marketing services provider, Mailchimp, discovered in March 2022 that a data breach had occurred. Mailchimp, owned by Intuit, has over 11 million customers worldwide but the data breach was confined to a very small number of customers who were targeted because they provided access to cryptocurrency accounts.
Here’s what happened.
Some Mailchimp employees fell for a social engineering ploy and their accounts were compromised. Through these employee accounts, about 300 customer accounts were exposed and the data from their email lists was stolen. Also taken were some API keys which would allow the hackers to send email from a different platform on behalf of the stolen accounts.
The hackers sent phishing emails to the stolen lists telling them they needed to download a new version of the cryptocurrency wallet site, Trezor. Recipients were directed to a fake website where they were asked for the security phrase that would open their cryptocurrency wallets.
It has not been reported at the time of this writing whether customer cryptocurrency was actually stolen and in what amounts. Mailchimp’s response to the data breach continues and will certainly include communications to regain lost trust with all of their customers, not just those impacted by the data breach.
Learn From This Breach and Defend Against Similar Cyber Attacks
Whether or not you use Mailchimp, there are takeaways to be gleaned from this incident that can help you defend your organization against similar cyber attacks.
1. Beware of Advanced Persistent Threats
Reports of the incident say that it was discovered by Mailchimp’s security team on March 26th but that doesn’t mean that’s the day that intruders entered the Mailchimp network.
For a highly targeted attack like this, the cyber criminals most likely had to snoop around for a period of time to find exactly what they were looking for. This is what’s called an advanced persistent threat (APT).
Some security tactics that can be used to identify and shut down APTs are managed detection and response and threat hunting, as well as locking doors to potential intruders by protecting accounts.
2. Protect Online Accounts with Multi-Factor Authentication
Part of Mailchimp’s response to this incident has been to recommend that all users implement two-factor authentication, also called multi-factor authentication (MFA). This makes it harder for bad guys to take control of online accounts because the second step of the login process can’t be easily replicated.
Whether you’re just now rolling out MFA or you’ve been using it for some time, remind employees what they’re protecting. What may appear to be an inconvenience is actually one of the most effective ways to keep data and access to IT systems safe from intruders.
3. Time for a Data Audit
Do you understand the value of the data you gather and store? And do you know what data your vendors are storing for you?
Take employee information for example – W-2 and social security information is a target for cyber criminals. Likewise, your vendors who are providing insurance and retirement benefits also store confidential information about your employees. They need to be just as vigilant about keeping it safe as you do.
Becoming aware of where your data lives is step one. Step two is to have conversations about security.
This is where security frameworks are useful. When you follow a framework, it’s easier to find out if you’re on the same page with security. One of the benefits of a security framework like NIST is to be able to communicate better about security expectations.
4. Commit to Ongoing Cybersecurity Awareness Training
We don’t know exactly how the Mailchimp employees fell victim to a social engineering scheme. Even with training, people can make mistakes, but keeping security top of mind with ongoing cybersecurity awareness training is a best practice that every organization should follow.
Training should be ongoing with programs that customize training so that people who may be more susceptible to manipulation have more practice.
5. Make Security Policies and Procedures Stick
If employees don’t know how you want them to act in certain situations, how can they meet your expectations for secure behavior? Take your security policies out of your handbook and put them into practice with training and enforcement.
Along with elevating the importance of security policies, make sure that everyone in your organization understands their role in protecting information and access to IT systems. Share with them the potential impact that a data breach could have on your organization and share how everyone is a stakeholder when it comes to preventing cyber crime.
How Secure is YOUR Business?
The Mailchimp data breach is a reminder that everyone is a target for cyber crime. There’s no room for complacency when it comes to preventing cyber crime. If you’re not confident that your cyber security strategy is doing enough to protect you from increasing cyber risks, get a cyber assessment. An assessment will give you the information you need to close security gaps and build a better cyber defense.
About Courtney Casey
In an industry dominated by men, Courtney Casey, Director of Marketing for Accent Computer Solutions, Inc., is making her mark on the world of information technology. Courtney has been immersed in the IT field most of her life and has been molded into the tech savvy expert she is today. She began working for Accent while earning her Bachelor's degree from California State University, Long Beach. Known in the Inland Empire as the "Tech Girl," Courtney is a regular columnist for the region's newspaper of record, The Press-Enterprise. Her columns address topical news trends, new technology products, and offer advice on how to embrace technology or avoid common IT pitfalls.