U.S. Agency for Global Media data breach caused by a phishing attack
The U.S. Agency for Global Media (USAGM) has disclosed a data breach that exposed the personal information of current and former employees and their beneficiaries.
The U.S. Agency for Global Media (USAGM) has disclosed a data breach that exposed the personal information of current and former employees and their beneficiaries. The agency’s mission is to “inform, engage, and connect people around the world in support of freedom and democracy.” USAGM operates broadcast networks, such as Voice of America, Radio Free Europe, Office of Cuba Broadcasting, Radio Free Asia, and Middle East Broadcasting Networks, to deliver news and information to people worldwide.
Chris Hauk, consumer privacy champion at Pixel Privacy:
“Unfortunately, in a case of “closing the barn door after the horse has bolted. USAGM waited to educate its personnel about the dangers of phishing attacks and to enable two-factor authentication on their Microsoft accounts until after a data breach occurred. This incident underscores the need of any company or agency to educate their employees and executives on the hazards of social engineering or of clicking links or of opening attachments in emails and messages. It is also a lesson in keeping systems secure by enabling two-factor authentication and keeping their systems updated.”
Trevor Morgan, product manager at data security specialists comforte AG:
“Each one of us has a fundamental right to data privacy and has expectations that both private enterprises and governmental organizations will honor that privacy. To do that, enterprises and government agencies must safeguard the PII of every employee and citizen. When we hear of governmental agencies such as the US Agency for Global Media succumbing to a phishing attack, leading to a data breach of highly sensitive information including social security numbers of employees and beneficiaries, we have to wonder how the message about rigorous data security gets missed or overlooked by those who gather, process, and store our PII.
The harsh truth is this: threat actors will find a way to your organization’s data given enough time and incentive, no matter how fortified your digital environment is. Last-generation data security methods such as protecting borders and perimeters around sensitive data no longer guarantee complete safety. Every business and governmental organization needs to be in the process of actively updating their data security posture to include data-centric strategies, which protect the data itself as opposed to perimeters around it. Protection methods such as tokenization and format-preserving encryption allow organizations to work with highly mobile data without de-protecting it. So, even if that data falls into the wrong hands, threat actors cannot compromise the sensitive information within. That’s an investment well worth exploring.”