Jurgen Erm, head of the Estonian cybersecurity firm CYBERS, says the cyber attack on the loyal customer database of the Apotheka pharmacy chain in January should have been made public earlier.
“First of all, there’s no need to point fingers here, any company, even with top cybersecurity, can fall victim to such an attack by bad luck. Unfortunately, there is too little information in this case to draw any fundamental conclusions. In any case, collective protection is a crucial component of cybersecurity, and it is manifested above all in a general awareness and willingness to share information that may help someone else avoid becoming a victim. The details of the attack need to be talked about,” Erm said.
As far as is known, there was no highly sensitive information such as passwords or protected health data among the data stolen. However, it is possible to develop further attacks based on the data that did leak, he said.
“Since pharmacies sell a number of products that inherently require a delicate approach, such massive information about their purchase opens up the possibility of, for example, vulgar blackmail or influencing. Based on this data, it is also possible to enhance, for example, fraudulent calls or emails — by examining someone’s purchase history, specific information can be interspersed with lies to appear more reliable,” Erm said.
The cybersecurity executive recommends that everyone affected by the breach should definitely familiarize themselves with exactly what personal data leaked.
“This option is available to everyone, and instructions for it have now been sent via an email. However, since the attack occurred in January, the window for such attacks has been open for over two months. With today’s information, perhaps many can be more vigilant, and therefore, the criminals’ opportunity to personally attack someone is smaller. It should also be considered that the database may end up on some more public black market via the dark web,” he said.
Erm said that, first of all, he would like to see more details published about the attack.
“This would make other companies smarter, knowledgeable of how to improve their systems and perhaps avoid a similar incident happening again in the future. Even if at first it seems that talking about an attack causes reputational damage to the company, with honesty and openness it is actually possible to show that one cares. Disclosure creates a prerequisite for more effective collective protection. Because cybersecurity matters to all of us,” the executive added.
Source: BNS
(Reproduction of BNS information in mass media and other websites without written consent of BNS is prohibited.)