Experian, a major credit bureau, fell victim to a social engineering attack between May 24, 2020, and May 27, 2020. The attacker purported as a legitimate client representative to request services from Experian employee(s). The request led to the release of private data for over 24 million South African consumers and 800,000 businesses, including ID numbers, telephone numbers, and physical and e-mail addresses.
According to Business Insider South Africa, Experian detected the leak on July 22, 2020, 57 days after the leak occurred. The credit bureau worked quietly behind the scenes to identify the actor, obtain the proper legal documentation, and seize and delete all stolen data from the actor’s hardware before making the breach public.
The entire incident took 87 days from the initial breach to recovery and containment.
In Experian’s case, the malicious actor used common social engineering techniques called phishing to target the organization’s employee(s) and pose as a client requesting sensitive data. These requests are often for data, restricted access, or access to funds using perpetration, impersonation, power plays, and psychological techniques.
According to this clip by VerSprite CEO, Tony UcedaVélez, “Many organizations worldwide are ill- prepared to fend off these types of techniques because their investments in security awareness training alone and pen testing don’t really cover the scope of these types of exercise.”
Even when organizations invest in security awareness training, many do not follow up the training with Red Teaming exercises to test its effectiveness. This gap in training validation leaves organizations to bank off the hope that their training and networks can withstand attacks. As seen with Experian, when training is not validated and proves ineffective, major business implications and reputational damage can follow.
IT industry leaders often see Red Teaming as a commodity that security budgets do not afford. This idea often happens after an organization has engaged security teams to perform Red Teaming in the past and received a “systematic” almost checklist approach to testing security effectiveness.
This style of Red Teaming is a commodity. VerSprite does not systematically approach exercises. Our Red Teaming professionals pushes the boundaries into thinking like the criminals that would commit crimes against organizations by creating unique Organizational Threat Models and going outside the box to attempt to gain access to private company data. Organizations can then take the information VerSprite’s professionals find to close any gaps before attackers exploit it.
When used in this fashion, Red Teaming becomes a vital tool to secure the cyber, physical, and employee attack vectors that criminals rely on to breach organizations like Experian. Schedule a call with our professionals for more information on how VerSprite’s Red Teaming services can help you. Contact VerSprite →