Industry looks at the MailChimp data incident.
the cyberwire logoJust Now

MailChimp's data incident is relatively small in immediate effect, but it's still an instructive case.

Industry looks at the MailChimp data incident.

Email marketing firm MailChimp this week confirmed that it experienced a data breach after hackers infiltrated an internal customer support and account administration tool. The attackers accessed the data of 133 users by using employee credentials acquired in a social engineering attack aimed at MailChimp staff and contractors. The company first detected an unauthorized individual accessing their system support tools on January 11. Fortunately, MailChimp was able to act quickly, temporarily suspending the accounts where suspicious activity was logged and notifying the primary contacts for all impacted accounts less than twenty-four hours after the breach was discovered. Though the number of affected customers is small, one of them was the popular WooCommerce eCommerce plugin for WordPress, which warned users that the incident exposed their names, store URLs, addresses, and email addresses. MailChimp told Bleeping Computer, “While we do not share customer information as a matter of course, we can share that no credit card or password information was compromised as a result of this incident.” An investigation is ongoing. 

Swift disclosure by MailChimp.

MailChimp's response strikes some observers as setting a good example for businesses generally. Dr. Ilia Kolochenko, Founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, wrote to comment on the company's reaction. It's not a large incident, but MailChimp disclosed unusually quickly and completely.

“The unauthorized access to 133 customer accounts is a very insignificant security incident for such a large company as Mailchimp. Transparent disclosure of the incident rather evidences a well-established DFIR process and high standards of ethics at Mailchimp, as most businesses of q similar size will likely try to find a valid excuse to avoid mandatory disclosure prescribed by law or imposed by contractual duties. The reported attack vector of social engineering and password reuse remains extremely efficient today, many large businesses regularly fall victim to it despite multilayered cyber-defense and most advanced security controls. Moreover, the reportedly compromised account of a technical support specialist likely had access to a much larger number of customer accounts, evidencing that the incident was timely detected and contained.”

The MailChimp incident and the importance of zero trust.

Gal Helemski, co-founder & CTO/CPO, PlainID sees the incident as showing the importance of zero trust.

"In attacks such as this, identity is the solution for finding the adversary and eliminating it from systems. Organizations must adopt a “Zero Trust” approach, which means trusting no one – not even known users or devices – until they have been verified and validated. Access policies and dynamic authorizations are a crucial part of the zero-trust architecture, as they help to verify who is requesting access, the context of the request, and the risk of the access environment.

"Instead of pouring more money into a shotgun approach to security, organizations need a more focused strategy oriented toward purchasing the highest reward tools. Identity and authorization are where the smart money should be going. If we assume hackers are already in the network, it makes sense to focus budgets on technologies that restrict movement inside the network."

Justin McCarthy, co-founder and CTO, StrongDM, notes that there are probably data other than email accounts of interest to attackers. “The recent Mailchimp incident has security experts now pondering if the bad actors are going after email accounts, it’s safe to say they are also going after your data, data stores, repos, APIs and more. Ensuring that access is secured for all users -- admins, developers, analysts and more -- is critical in keeping your company and customers safe. One way to accomplish this is to eliminate credentials all together and move to just-in-time access or Zero Standing Privilege.”

Best practices in defense against social engineering.

Tyler Farrar, CISO, Exabeam, sees a familiar lesson: the value of following best practices. “Adversaries are always going to go for the path of least resistance to meet their end goal. The threat actors who conducted this social engineering attack were likely not going after Mailchimp, but the organizations the email platform works with. Rather than attempt to attack each of the customers individually, the adversary probably figured it would be easier to break through into Mailchimp. Unfortunately, attacks like these are going to become more and more common. The software supply chain is going to become the number one threat vector in 2023. As a result, organizations should create a vendor risk management plan, thoroughly vet third parties and require accountability to remain vigilant and align to cybersecurity best practices.”

Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, draws lessons that any organization might profit from.

“This cybersecurity incident shows just how clever threat actors can be in adapting existing social engineering tactics. The situation also underscores two key points that every enterprise should heed.

"One, it’s not enough simply to educate employees and partners sporadically about common social engineering tactics and hope that this makes a significant impact on incident prevention or mitigation. The entire corporation needs to adopt a culture of cybersecurity in which speed and rapidity are valued less than safety and sensible inspection of all requests for information and action. Social engineering preys on misdirection and hasty actions and responses. Put a premium on employees treating every email with healthy skepticism.

"Two, protect all sensitive enterprise data with more than just perimeter security, even if you feel that the impenetrable vault you’ve stored it all in is foolproof. Make sure that data-centric protection such as tokenization or format-preserving encryption effectively obfuscate sensitive information in case threat actors find their way into your data ecosystem. At some point, every organization will face a cybersecurity attack, so better be prepared.”

Chris Hauk, consumer privacy champion at Pixel Privacy, urges that organizations like MailChimp look to increased security awareness training. “Organizations like this should not only tighten their security measures, they should also put in place training programs for employees and executives, educating them about phishing attacks like the one that facilitated these breaches.”

Social engineering does indeed require training if employees, and hence organizations, are to build up resistance. Almog Apirion, CEO and Co-Founder of Cyolo, wrote:

“Within one year, MailChimp has suffered three data breaches as a result of social engineering attacks, with one of the worst-case scenarios – a breach that seems to be very similar to previous ones. So, what is going wrong? It is far too often that employees fall for phishing attacks that place sensitive company assets and personal information at risk of malicious threats. Social engineering attacks make employees particularly vulnerable by using psychological manipulation to take advantage of weak security protocols. It is not surprising that the riskiest attack vector is the human behind the network, system or application. Beyond, the rise of remote work has presented new challenges for companies implementing perimeter security systems. Companies must consider how to extend security controls to all users, even hybrid employees and third parties outside of the corporate network. 

"Companies should prioritize securing identities – the new perimeter for many organizations. By increasing the adoption of zero-trust practices, businesses can ensure the validation of all users, limit the applications each user is entitled to and capture a full audit trail for forensic and compliance needs.” 

And, of course, social engineering attacks are to be expected. After all, they work. Leonid Belkind, CTO and co-founder at Torq, said, “The MailChimp hack is emblematic of the urgent need to closely calibrate cybersecurity systems to proactively address these inevitable attacks. The advent of sophisticated security automation can play an important role in mitigating these scenarios. By granularly calibrating security tools, so they work together in concert to identify, alert, and remediate these attacks, security automation can add a critical layer of protection that is missing in countless enterprise security configurations.”