3 Hacks from 2020 that (Probably) Could Have Been Avoided with Better Security Awareness Training

Posted by Denmark Francisco
January 22, 2021

Share Article

There’s no denying that 2020 was a year of confusion and stress for both individuals and companies alike. 

The COVID-19 pandemic created a playground for bad actors to capitalize on vulnerabilities— particularly, praying on unsure work-from-homers and the newly found security gaps that came with a sudden shift to remote operations. 

Hackers game of choice on the coronavirus jungle gym? Targeted social engineering schemes. But while some companies fell for the employee-focused scams, their lessons serve as a blessing for others— empowering us to learn from their mistakes.

Let’s take a look at three big hacks in 2020 and discover how the cyber bullies played dirty. With an understanding of how they did it and the right resources for your team, we’ve got the secret to strengthening your security in 2021.

The Garmin Ransomware Attack

Sport and fitness tech brand Garmin found themselves in hot water over the summer of 2020 when customers were locked out of their applications and tools from a hard hitting hack. With their website down and an influx of confused users, Garmin quickly discovered they were amidst a ransomware exploit. The company would have to pay a hefty $10 million ransom to gain control back to their website, app, and seized files.

After a month of downtime while Garmin noodled on a solution, the GPS company was backed into a corner. Despite the possibility of penalties, Garmin allegedly rallied financial support from another firm to pay the full ransom. 

While they got their access back after fessing up the fee, Garmin is still trying to understand what information could have been compromised during their system lockdown, despite complying to the bad guy’s demands.

The Need for Security Awareness Training

This ransomware attack limited Garmin’s service providings for weeks, causing instant repercussions with current customers and unpredictable damage to the tech brand’s reputation and future success. 

The reality is, ransomware compromises usually start with a social engineering attack. Hackers often phish employees to gain access to juicy information that could help them breach secure systems. That’s because big name brands usually have top-notch technical security measures, which are hard for cybercriminals to crack. Social engineers often know that with the right pretext they can squeeze important information out of employees, who give them the insights they need to crack passwords or find backdoors in systems— so they can sneak in unnoticed instead of breaking down digital defense.

All of this may have been avoided had Garmin empowered their employees with the right cybersecurity awareness training. With the right insights on what to watch out for, their team could become one of their greatest security assets, instead of a brand’s weakness.

The Twitter Bitcoin Scam

Mid July of 2020, many prominent account holders on Twitter simultaneously tweeted unusual Bitcoin-related statuses. From political figureheads like former U.S. President Barack Obama and then Democratic presidential candidate Joe Biden to notable celebrities and large corporations like Apple and Uber, 130 high-profile Twitter accounts posted about a Bitcoin scam.

The tweets promised followers that if they clicked a link and sent a Bitcoin donation, the generous account holder would double the contribution back. Wait, if I give you $1,000, you’ll send me $2,000 back? How could you say no?

Hundreds fell for the scam and donated their money to these hackers’ shared account, but— as you may have guessed— no money was returned like promised. Once word of this mass compromise spread, many account holders were able to take down the fake posts within minutes of posting, but dozens of users had already fallen for the ruse. Luckily blacklisting the links stopped over 1,000 transactions, totaling over $280,000, from being sent, but enough damage was already done.

The Need for Security Awareness Training

Twitter itself revealed that this flashy attack was the result of a mass social engineering exploit, targeting employees who had high permissions to sensitive internal info. While specific details of the attack weren’t revealed, it’s likely employees were either tricked into sharing important info that gave the attackers a doorway in, or Twitter employees accidentally downloaded malware. 

Twitter’s high-access employees may not have fallen for either had they been involved in deep cybersecurity awareness training. Armed with examples of phishing schemes or a better understanding of the tactics hackers use to manipulate employees, their team may not have been fooled by these hackers’ tricks.

The Universal Health Services Ransomware Attack

Towards the tail end of September 2020, hospital and healthcare companies using Universal Health Services (UHS) software ran into some real problems. Workers across more than 250 hospitals across North America were booted out of their important logins and blocked from getting back in, according to BusinessInsider. To boot, phone lines were compromised and healthcare professionals were left without crucial documentation and communication tools to do their jobs.

All systems were quickly disconnected to prevent further breaches. Staff documented what they could by pen and paper, but most software-reliant operations grinded to a complete halt. At the affected sites, surgeries were postponed and ambulances diverted to other facilities. Chaos ensured for days. 

The compromise was confirmed to be a ransomware attack, like the cyber breach that affected the Garmin case above, where the bad guy locks access to important files until the victim pays a high-dollar ransom. Ransomware attacks on electronic health record (EHR) systems usually average an alarming 15 days of downtime, and UHS was no exception— not getting full functionality back until Oct 12th. While no patient data was compromised in the attack, the disruption was undeniable.

The Need for Security Awareness Training

While it was not confirmed how exactly the breach began and the investigation still continues, ransomware attacks are often the result of social engineering scams. In the case of UHS, this Fortune 500 hospital and healthcare services provider had a 400+ facility network, where a goldmine of data was housed. Luckily, it doesn’t appear that hackers were able to access patient information before they were booted out, but the possibility was too close for comfort.

By requiring cybersecurity awareness training for all UHS staff and users of the interface, they could have drastically lowered their chances of falling for a phishing scheme or clever ruse that helped hackers gain the permissions they needed for a system breach.

A Better Approach to Security Awareness Training

Some companies avoid training programs like COVID because they’ve watched it fail time and time again. 

But what if we told you that we’ve cracked the code and know how to get your team invested in cybersecurity awareness training once and for all?

There are new trends for empowering and exciting your team about your security initiative, and we’ve got them packaged with a bow in our 7 Essential Trends Of Human Risk Management for 2021 guide. Give it a read for free, today. 

Subscribe Now

Additional Reading