5 Security Breaches Caused by Phishing Attacks

Phishing attacks are on the rise. 

In a recent report, Kaspersky detected 129.9 million attacks worldwide in the second quarter of 2019—a 21% increase compared to the first quarter. 

This dramatic increase isn’t surprising as criminals continually learn new ways to break into secure systems. In this case, an attacker creates an email that seems (before further investigation) to be from a legitimate source. Untrained, well-meaning employees can give an attacker their login information or other confidential data before they ever suspect foul play.

Unfortunately, attackers know that phishing scams are the easiest way to get what they need. In Verizon’s 2019 Data Breach Investigations Report, phishing attacks were found to be the top social engineering method used in security breaches. 

In this article, we’ll take a look at five real-world security breaches caused by phishing scams. We also share a few tips on preventing this type of attack. Let’s dive in.

5 Security Breaches Caused by Phishing Attacks

1. Oregon Department of Human Services – Salem, Oregon

In March of 2019, the Oregon Department of Human Services (DHS) announced that a phishing incident had been discovered, exposing protected health information. Nine employees clicked a link in a phishing email, allowing the hacker to access email accounts that contained a total of nearly two-million emails. The breach compromised the data of more than 600,000 patients.

The data included social security numbers, personal health information, names, addresses, and dates of birth.

2. Lancaster University – Lancaster, United Kingdom

In July of 2019, Lancaster University was hit by what the university called a “sophisticated and malicious cyber attack.” Though Lancaster has not reported how many employees opened the phishing email, we do know that the attacker was able to access the 2019 and 2020 student applicant data.

Students’ names, home addresses, email addresses, and telephone numbers were compromised in the breach. The hacker used this information to send fraudulent invoices to those students.

3. Methodist Hospitals – Gary, Indiana

In August of 2019, investigators confirmed Methodist Hospitals’ worst fear. A phishing attack compromised more than 68,000 patients’ information. The hospital did not discover the breach until June when an employee reported suspicious activity in their email account. The investigation revealed that at least two email accounts had been compromised.

The data obtained from each affected patient varied but included the following: names, addresses, health insurance information, Social Security numbers, passport numbers, bank account numbers, electronic signatures, login credentials, dates of birth, treatment information, and insurance information.

4. The University of Wisconsin-Parkside – Kenosha, Wisconsin

In June of 2019, the University of Wisconsin-Parkside was notified of a new bank account. This new account was a result of a phishing attack where an employee was prompted to change the routing numbers of two UW system vendors. Before discovering the issues, the university lost $315,000 in fraudulent bank transfers.

5. Kalispell Regional Healthcare – Kalispell, Montana

In August of 2019, in spite of being recognized for its data-security readiness, Kalispell Regional Healthcare fell victim to a “highly sophisticated” phishing attack. The attack could affect 130,000 patients after hackers sent an email that led employees to enter their hospital accounts’ login credentials.

The breach compromised different data for different patients. It is speculated that the breached data could involve any of the following: names, Social Security numbers, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, medical histories and treatment information, dates of service, physicians, medical bill account numbers, and health insurance information.

How to Prevent Phishing Attacks

Since we can’t control the criminals, let’s take a look at how you can prevent phishing attacks. 

  • Train Your Employees

    Unsuspecting employees who are not trained to identify phishing emails are easily tricked. If they click on a link, open an attachment, or respond to the email, they could be giving the attacker exactly what they need to break into your system.

    Training is by far the most crucial action you can take to avoid phishing attacks. By investing in your employees’ security education, you empower them to take ownership of security best practices. With training, your employees can identify a phishing email and report suspicious activity before any information is compromised.

  • Update Your Antivirus Software

    Keeping your antivirus software updated adds a layer of security. The software will scan files coming into your computer, preventing possible damage. Ensure that your anti-spyware and firewall settings are active.

  • Stay Up-to-Date

    By staying in-the-know, you remain vigilant to phishing attempts. Research common phishing scams so that you’re aware of what security professionals see as the main threats. The more aware you are of what’s out there, the more likely you are to identify a possible attack. 

Learn More

Many organizations are focusing on phishing for the worst reason: they’ve been attacked, and they don’t want it to happen again. Not you, though. You’re going to be ready.

Contact Technology Lab to learn how we design a security program to keep your organization’s information safe.