Email marketing automation giant MailChimp fell victim to a major data security breach this week after a phishing attack enabled thieves to steal passwords and login details from MailChimp employees.
The stolen credentials were then co-opted to access MailChimp’s internal account administration tools, after which the cybercriminals stole over 100 subscriber mailing lists from users, as well as business email addresses, website URLs, and other contact data.
To their credit, MailChimp detected the breach at an early stage and took immediate action to close down the access loopholes and inform the contacts of all compromised accounts (133 affected customers) within 24 hours.
Unfortunately, however, this isn’t the first time that MailChimp has been hit by a successful cyber-attack as the same occurred in April 2022. A large number of businesses and individuals were targeted by phishing attacks based on stolen mailing lists.
The problem is that stolen mailing lists could include thousands of personal and business email addresses, phone numbers, and social media accounts – each of which could become the target of identity theft and further attempted data breaches.
A second successful breach in 12 months is going to force MailChimp to have to think very carefully about the security of its internal administrative systems and how to properly safeguard customer information from this point on.
The attack also raises broader questions about the security of cloud-based CRMs and marketing platforms in general. With businesses entrusting their service providers with the sensitive personal data of hundreds of customers, to what extent is this trust justified, and what steps can businesses take to reduce their operational risk?
Fortunately, and perhaps surprisingly, these successful attacks on household name cloud service companies are noteworthy due to being comparatively rare. Cybercriminals target companies like MailChimp, HubSpot, and Salesforce all the time. Even a moderately successful attack could be worth thousands in stolen revenue for a lucky hacker.
Cloud service vendors know this, and consequentially invest heavily in the latest security safeguards to stay one step ahead of would-be criminals. By and large, they have been successful in this.
The MailChimp attack was unfortunate for the people involved, but amid the failure, the incident also highlights the success of MailChimp’s rapid response strategy, transforming a data breach on a potentially astronomical scale into a fairly minor incident, affecting only a tiny proportion of MailChimp’s customer base.
Despite the recent breach, we would have no compunction in reassuring MailChimp customers that the operational risk of using the platform is relatively low and is certainly outweighed by the benefits of using the platform.
Reassuringly, HubSpot has an exceptionally strong record on data security, and they are well-known for their commitment to providing best-in-class secure data hosting and reliable cyber security practices. The vendor uses industry-standard data safeguarding services such as Amazon Web Services (AWS) and follows the data protection and security standards of SOC2, PCI, HIPAA, and GDPR, among others.
HubSpot also offers two-factor authentication to all their users and uses 256-bit encryption for all their customer data – precautions that minimise the risk of a successful phishing attack by increasing the number of steps a criminal must overcome before accessing sensitive customer databases.
To date, HubSpot has not reported any data breaches or other security incidents, but they are always reviewing and updating its security systems to remain one step ahead of potential threats.
Businesses across the UK are increasingly relying on cloud-based customer relationship management (CRM) systems. For every successful attack, there are millions of unsuccessful attempts, and security standards across the industry are generally very robust and reliable. As companies survey the benefits of this technology, however, they must also consider the security risk implications posed by using a cloud-based CRM system, however negligible.
Key questions for SMEs to consider include not only if their data is secure but also who will have access to it on the vendor side and how it can be accessed. That is why businesses should evaluate the level of encryption and other safety features that a cloud-based CRM provider offers before opting for such a service. The ability to properly authenticate employee and customer credentials and encrypt sensitive data are two among many important factors in selecting a trustworthy cloud-based CRM solution - making sure that the confidential information used by the business remains secure even when stored in an offsite location.
To reduce operational risk further, businesses may wish to take out a cyber insurance policy to offset any financial losses arising from data breaches, cybercrime, and computer malware activities. The insurance policy will also cover any legal costs incurred in defending your business against litigation due to a data breach or compromised network if one should occur. Having cyber insurance in place helps businesses maintain their public reputation and credibility as service providers by providing them with the resources to contain and resolve cyber security incidents quickly and efficiently on behalf of their customers.
We take cyber security extremely seriously at JDR and closely monitor the emergence of new technologies, threats, and security assets on the market – as well as the safety record of our software partners. Your customer details and sensitive data are safe with HubSpot. We have every faith in the security safeguards employed by our partners and their record in successfully pre-empting and defeating attempted security incidents – as well as their commitment to continual updates and improvements in meeting future threats.
To find out more about data security and how you can keep your employees, customers, and supply partners safe in the digital economy, please call 01332 343281 today.
Image Source: Pexels