On March 1, 2021 I wrote a short article about a data breach most people have never heard of. The victim was a company called DriveSure, which provides software to car dealerships that aims to help with customer loyalty through intelligent use of service records and other data.
In the breach, DriveSure’s database of over 3 million consumer records (including email addresses) was stolen and made available on hacker forums. This makes it very likely that these consumers will be targeted with spear-phishing attacks in the future. There are many plausible “pretexts” that an attacker can use, knowing only that they had vehicles that had been serviced at a car dealership.
Checking for publicly announced responses to a breach
Out of curiosity, I decided to do a little follow-up on that breach that occurred in February of 2021. I wanted to see if the company had announced any news about remedial actions it was taking in response to the breach, which would help make them more secure and reduce the risks to their customers (retail car dealerships) and the end customers who deal with those retailers.
It’s fairly easy to check for publicly visible evidence that indicates when an organization is committed to fixing the vulnerabilities that led to a breach.
Best practices for reducing risks after a data breach, in addition to normal remediations
Here are 3 ways that companies who suffer breaches can help their customers immediately…
1- Issue a breach notification press release, and post PR information on the website
A company that experiences a breach is expected to not only notify affected customers, but to make the incident public, so that customers who couldn’t be reached are able to find information about how they may have been affected.
Very little news could be found about the DriveSure data breach after the event, anywhere on the web, and the company’s website doesn’t have any easily found pages or posts that describe the nature of the breach, how it impacted customers, or what they are doing to remediate the situation.
In contrast, some companies are very forthcoming about security incidents, which does cause the bad news to trend for a while, but in the longer term, the transparency and accountability shown usually builds stronger trust among customers.
2- Offer assistance to affected customers.
Normally, when personal data is compromised, the affected company will offer assistance to reduce risks (which would be announced in their PR materials around the event). When sensitive consumer data has been affected, it often includes a year of credit monitoring services from credit bureaus such as Equifax or TransUnion.
Because I couldn’t find any published breach notification about the DriveSure incident, and don’t have access to whatever private communications were sent to their customers, I don’t know if DriveSure offered to pay for credit monitoring services to impacted consumers (customers of DriveSure’s car dealership customers).
3- Review and update basic DMARC settings in DNS to reduce impersonation email attacks
DMARC settings are controlled through an organization’s Internet DNS settings, including published information about how email messages that are apparently sent from the domain should be handled. It is not a guarantee to prevent phishing, but it makes it much harder for attackers to spoof the email domain when approaching their customers or people who trust the organization.
The publicly available tool called mxtoolbox.com can be used to test any domain and see if they have configured their settings to minimize the risks of their domain being used in phishing attacks that impersonate them. DriveSure’s DMARC settings can be freely analyzed with this tool at no cost. As of the date of this post, the MX Toolbox tool did not report finding a DMARC record or any DMARC policies ing the drivesure.com DNS records.
If the DMARC settings are set properly, it is likely that when a phishing email is received that is apparently from the trusted domain, but has some discrepancies, it may fail the DMARC test, and would likely be routed to a quarantine or spam folder in the receiver’s (target’s) mailbox.
I’ll be checking news and website information for other organizations that have suffered security breaches recently, to see if they are following these easily verified practices after a security breach.
Publicising the implementation of a security awareness training program
In addition to the above items, an organization can also show accountability and leadershp easily by publicly stating that they are implementing a reputable and effective security awareness training program for their staff. Click Armor’s gamified learning challenges and simulations provide a much more effective way to improve employees’ resistance to phishing and social engineering attacks.
If your organization is looking for ways to show leadership, accountability and a commitment to building a secure team, book a call by clicking on the button below.