“I thought my company had my back until we got hacked, then I learned differently!

In 2013 I worked as the Team Leader SME (Subject matter expert) in the Cybersecurity Division of a major non-profit company. The company had a new employee healthcare company Excellus Bluecross BlueShield Insurance, in Rochester, New York. 

Employees of the company began reporting that they were getting reports from their credit card companies that they were getting unauthorized charges. 

The FBI informed the company that the Excellus Bluecross BlueShield Insurance was a part of a data breach that began in 2013, two years before.
At the time, the breach of Bluecross Blueshield was one of the largest of its kind and exposed more than 10 million clients’ health data and personal information and vendors. Yet, the crime was undetected for more than 20 months by the company or any of the providers. As a result, the cybercriminals had access to names, birth dates, claims history, and financial records.

Your PII is for sale by the “bad guy.”

Personal Identifiable Information (PII) 

The PII is your private information that your company is obligated to protect for you. But you as a part of your job may be required to do also.
The medical information is the prime data for Cybercriminals on the “darkweb” it provides email addresses and the financial history of every employee. Additionally, the data is sold on listserv boards, which enables the creation of a phishing email for that client, allowing the bad guys to gain access to an entire company.

Today’s ransomware breaches begin with emails containing attachments that launch a malware virus that reconnaissance the company servers before the attack.
The breach of Bluecross and Blueshield began with Cybercriminals gaining access to employees’ passwords; many did not even use a secure password. Next, clients connected to their home emails that installed malware that infected their work computers. Finally, the contractors hired by companies were subject to spearphishing email attacks that allowed the cybercriminals to gain specific information like human resources, network connections, and applications.

Most companies offer training to employees to guard against phishing and password theft and how to maintain a secure system, but I found clients that rejected the courses.
Most clients’ privacy issues can be managed by simple measures on their computers and phones. However, clients first must accept that they are subject to cybercrime daily and that simple thing like a password with two-stage authentications that are changed periodically protects best.
The use of encryption in email works best when sending data that contains attachments. Suspect emails with attachments should be referred to IT support for evaluation. Clients learn not to share company email files with their email on their home computer or establish remote connections between the systems. The antivirus on the computer needs to be running consistently and all application updates fully installed and running.

Your company default internet browser should not be altered unless approved by IT support. The reason is that your companies cybersecurity may have software used to track adware and spyware used by cybercriminals to track your activities.

Applications for remote meetings like Zoom and M.S. Team that connect via your internet browser are a new target of hackers to access your privacy, stealing your digital image for extortion and blackmail.

On January 24, 2022, Actress Olivia Munn was in an AAPI meeting that was attacked. The hackers were able to access a live zoom meeting through her phone. But cybercriminals can make the same attack in your company systems. 

Your data privacy is not automatic from your company, so the same safeguards you use for the company have to maintain on the systems and applications at work.