HealthEquity is a company that manages health savings accounts for about 40,000 companies with 3.4 million unique accounts. Recently, 23,000 of those accounts were compromised by a data breach. The lapse in security was due to the actions of a single employee.
HealthEquity’s situation is far too common and a testament to how difficult it is to fill every gap in your cybersecurity infrastructure. Even with excellent cybersecurity systems in place, a single employee’s inattentiveness can still directly lead to a companywide data breach.
Let’s take a look at how one employee’s negligence led to this massive account compromise and what you can do to prevent this type of situation at your business.
Here’s what happened: on April 11th, an unauthorized person gained access to an employee’s email account. The breach was noticed two days later when malicious activity was discovered in the company’s system. As soon as the security issue was noticed, HealthEquity removed access to the mailbox and hired a forensics firm to confirm the breach did not affect other HealthEquity systems.
How’d this employee’s email account become compromised? A simple phishing scam. One foul link click and an entire organization’s credibility is now in question. As of now, there’s been no reporting on what the phishing email said, but apparently it was convincing.
Here’s what HealthEquity’s senior VP of Audit and Risk had to say about the data breach:
“HealthEquity is committed to protecting the privacy of our employers and members, and we sincerely regret this recent event. In response to this incident, we have implemented enhanced security measures, heightened monitoring of impacted accounts and provided additional training for our team members. While we have no evidence to indicate actual or attempted misuse of information, we are offering free identity theft and credit monitoring services to impacted individuals."
HealthEquity’s response indicates they will do more from here on. More security measures, more monitoring and more training.
But what exactly is more?
It’s critical that your company lays out exactly what the plan is and sticks to a consistent schedule of improving the overall state of accountability. Not all cybersecurity plans will look the same, but here are some of the best practices we recommend businesses follow:
- Employee Cybersecurity, Internet Use Policy, and Personally Identifiable Information (PII) Training
- Recurring IT Security Audits, Internal and External Vulnerability Tests
- 3rd Party Network Penetration Tests
- Dark Web Monitoring and Alerting for Compromised Business Credentials
- Proactive Workstation, Network and Server Monitoring, Alerts and Remediation
- End Point Protection and Next Generation Antivirus
- Web Application Firewalls (WAF)
- Hardware Firewall with Unified Threat Management (UTM) and industry standard rules
- Web and Content Filtering
- Email SPAM filtering, URL Filtering, Attachment Sandboxing and Data Loss Protection (DLP)
- Wired and Wireless Network Security Standards, Protocols and Policy
- Bring Your Own Device (BYOD) Policies
- Data and Voice Redundancy and Failover Solutions
- Image and File-Based Backups
- Disaster Recovery and Business Continuity Solutions
If this list seems overwhelming or confusing, you’re not alone. Cybersecurity requires more than many small businesses often realize. Don’t be reluctant to reach out to a managed services provider for help if you’re not sure where to start with your company’s data security plan.
Minimizing Exposed Data
The exposed data includes employee names, HealthEquity member IDs, employer names, HealthEquity employer IDs, deduction amounts and Social Security numbers for employees in two Michigan-based companies first affected by the breach.
According to Tim Erlin of Tripwire, the biggest risk for those affected is identity theft since some social security numbers were exposed:
“HealthEquity seems to realize this fact, and as offered identity theft monitoring services in addition to the usual credit monitoring. The fact that this breach was detected 2 days after it occurred is notable, and a sign that HealthEquity was paying attention.”
For many organizations, the damage would be worse. HealthEquity appears to have an incident response plan in place that helped minimize the fallout.
How to Prevent
There will always be employees that disregard training or have a moment of bad judgment. The only thing your organization can do to prevent those mistakes is to embed good cybersecurity practices into your employees’ muscle memory.
Since employees are the number one threat to business cybersecurity, we’ve written about the subject a lot. Use these articles to help improve cybersecurity buy-in:
How to Reduce Security Risks Created by Your Employees
How often does the average person think about cybersecurity? For most people who don’t work in the technology industry or have never experienced a data breach, probably not very often. If you want to begin improving cybersecurity awareness at your office, start by learning about the following ways you or your employees might be putting your company’s security at risk.
How a Culture of Awareness Could have Prevented Breach of 1.5 Million Users
Criminal threats take a wide variety of shapes and forms, and knowing how to spot a criminal is the first step to preventing attacks. From C-suite to entry-level employees, everyone needs to do their part to keep your company safe. Security is more than just strong passwords; any public-facing employee should be familiar with common impersonation tactics and how to respond when bad actors surface, even if they’re a friend or colleague.
When any of these red flags are identified, your team needs to submit them to management and your IT team immediately. Quick responses can mean the difference between a successful data breach and a prevented attack. By training your team to be an integral part of your security efforts, you magnify your safety tenfold.
Not sure where to start with cybersecurity training? We can help! Head here to reach out about our free security assessments and to learn how we can bring cybersecurity training to your office.
Written by Nik Vargas