A Data Breach at a Live Event Equipment Manufacturer Reveals Employees' Personal and Financial Data
Last week, TAIT Towers Manufacturing LLC, a manufacturer of equipment for live events and concerts that has worked with the likes of Lady Gaga and Taylor Swift, issued one of those statements where it has to explain how it takes data security very seriously. As many of you probably know, companies do that only after they've suffered a data breach.
The attack actually took place some four months ago in February, but the company didn't learn about it until April 6. After it was made aware of the breach, it immediately started an investigation, which is still ongoing. Nevertheless, TAIT was kind enough to share with us (and the people who were directly affected by the attack) what happened.
Hackers compromised a TAIT server and employees' email accounts
On February 16, an unauthorized party compromised one of TAIT's servers and the email accounts of some of the company's employees. Once inside, the hackers got access to quite a lot of personal details of TAIT personnel, including names, physical and email addresses, dates of birth, Social Security numbers, and financial account numbers. TAIT closed the breach, hired a cybersecurity company to help with the investigation, and started working on implementing measures to ensure that similar incidents don't happen in the future.
The company is adamant that it has seen no evidence of any of the data being misused, but to be on the safe side, it's ready to provide affected employees with identity theft protection services free of charge. The statement gives plenty of details on what people need to do to take TAIT up on that offer.
Too many pieces of the puzzle are missing
As we mentioned already, the investigation is still ongoing, which suggests that even TAIT hasn't got the full picture yet. That being said, so many details are missing from last week's statement, that the number of raised questions exceeds that of the answered ones.
We don't know, for example, how many email accounts were attacked. There's no information on the number of affected employees, either, and we don't even know if the attack targeted people in one specific region or whether it affected TAIT's offices across the globe. The method hackers used to compromise TAIT's IT systems is also unknown, which means that it's difficult to say how sophisticated the adversaries are and how bad the consequences could be. This is not the only problem.
About that "we take security very seriously" statement
Companies are often criticized for furnishing their data breach notifications with a boilerplate sentence that doesn't do a very good job of convincing people that the attacked organization "takes security very seriously." The statement doesn't really bring any value to the notification, and in some cases, it seems downright hollow.
For example, the people in charge of TAIT's security made the same exact claim, yet they failed to ensure that the company website loads under HTTPS by default. They also bragged about the multi-factor authentication system they've introduced. Multi-factor authentication has been around for years, and it has proven itself as the simplest way of ensuring better data protection. Given the sensitivity and the volume of the data TAIT is handling, the company should have probably thought about implementing it before the cybercriminals attack rather than after it.
All in all, TAIT's breach notification proves that saying that you take security seriously is easier than actually doing it.