For hackers, people are an IT system’s weak link

May 14, 2015

Priyanka Dayal McCluskey and Deidre Fernades originally posted 5-13-15

As big businesses spend millions of dollars to plug holes in their technology and block cyber criminals from databases of private consumer information, hackers are increasingly targeting a different weakness: employees.

They are sending official-looking e-mails to large health systems, banks, retailers, and vendors to try to trick employees into giving up passwords or other credentials. Armed with employee passwords, criminals can access mines of sensitive information and use it to steal identities and commit fraud.


That is how data from about 3,300 patients was breached last year at Partners HealthCare. Several employees responded to so-called phishing e-mails and mistakenly allowed access to patient names, addresses, health insurance information, and Social Security numbers.

It turns out that tricking an employee to give up a password is easier than hacking, cyber-security specialists said.

“They go for the people, the human vulnerability,” said Dr. John D. Halamka, the chief information officer at Beth Israel Deaconess Medical Center. “This is why we’re seeing a massive upswing in phishing.”

Phishing e-mails are blamed for several big data thefts in recent years, including the 2013 breach at the big-box retailer Target Corp., which affected nearly 1 million consumers in Massachusetts alone. One of the biggest bank heists in the world — the theft of $1 billion from dozens of banks around the world, starting in 2013 — began with phishing e-mails, according to Kaspersky Lab, a Russian computer security company with offices in Woburn that reported on the bank breach earlier this year.

During the first half of 2014, there were 123,741 unique phishing attacks worldwide, the most since the second half of 2009, according to the Anti-Phishing Working Group, an industry organization that is made up of security experts and companies affected by such scams. In the health care industry, about 9 in 10 organizations have been targets of phishing attacks, according to the Ponemon Institute, a Michigan research company.

Read full article