While certainly not the biggest data breach in recent memory, this Rogers Communications incident demonstrates how a seemingly small employee error can have significant consequences in the realm of cybersecurity.
Data breaches have become major news topics, and with good reason. These incidents have major implications not just for the businesses affected, but also their employees, their corporate partners and, most importantly of all, their past and current customers. All of these breaches vary in terms of their impact, but many have one key element in common: the human factor. Far too often, data breaches occur that were entirely preventable, if only employees or other authorized personnel had greater information security awareness.
The recent Rogers Communications data breach is a useful case in point. While certainly not the biggest data breach in recent memory, this incident demonstrates how a seemingly small employee error can have significant consequences in the realm of cybersecurity.
“The breach was the result of a phishing attack directed at one of Rogers’ IT support agents.”
A serious breach
The breach was the result of a phishing attack directed at one of Rogers’ IT support agents. This employee was tricked into revealing an account manager’s confidential details. This in turn allowed the cyberattacker to access Rogers’ internal records – specifically, information regarding dozens of mid-sized business accounts, according to The Globe and Mail.
The cyberattacker subsequently used this access to gain a hold of numerous contractors managed by the compromised employee. The hacker then used Twitter to publicly post a zip file containing these contracts along with a number of emails between Rogers personnel.
In a statement, Patricia Trott, a spokeswoman for Rogers, acknowledged that pricing details were revealed in the breach, along with business names, addresses and phone numbers. However, she emphasized that the hacker did not access any personal financial information, The Globe and Mail reported.
Nevertheless, this is clearly a significant, serious breach for the targeted company. Rogers was forced to contact all affected clients, informing them of the breach. Naturally, this will have a negative impact on these business relationships, and will likely cause some clients to sever ties with Rogers.
Even more impactful is the media attention that this incident generated. As is now almost always the case, the Rogers data breach received coverage from a range of prominent media sources. In addition to The Globe and Mail, other publications that covered the incident included The Huffington Post, IT World Canada and more. A prospective customer researching potential service providers will quite certainly come across these reports, making that decision-maker far less likely to choose Rogers, simply for fear of the potential cybersecurity consequences.
In these ways, a data breach – even a relatively small-scale one – will almost certainly inflict both immediate and long-term damage to a company’s customer relationships and reputation.
Human error and cybersecurity
With that in mind, it’s worth taking a closer look at how human error led to this particular data breach. As mentioned above, the cyberattacker used phishing techniques to trick a Rogers employee into revealing sensitive information.
This is a common tactic. Cyberattackers know that with relatively minimal effort, a phishing scheme can yield major dividends. Critically, phishing attacks completely avoid a company’s traditional defenses, such as firewalls and anti-malware programs, yet can still gain access to the most sensitive corporate data and assets.
Consequently, businesses in every industry need to take steps to prepare themselves for this growing threat. And really, the only action that a firm can take in this area is to invest in security awareness training for all personnel. Employees must understand how to distinguish between legitimate email messages and those that seem suspicious. As this incident and many others have demonstrated, this is a challenging task. With cybersecurity training, though, workers will gain the knowledge they need to protect themselves and their companies from the threat of phishing cyberattacks.