Adafruit announced that a publicly accessible GitHub repository contained a data set comprising information on user account names, email addresses, billing addresses and order status. Despite the fact that no user passwords or financial information has been stolen, this data leak reinforces how organisations can never be too careful with how they use customer data. Real customer information should never be used for training purposes or data analysis operations in an employee’s GitHub repository as it was here, because now every victim faces potential targeting by phishing scams or communications impersonating Adafruit in pursuit of more valuable credentials.
This is where security awareness training (SAT) becomes critical in order to teach employees to recognise the signs of a phishing attack and equip them with combative skills. When it comes to analysing a potential phishing message, SAT teaches employees to recognise the tell-tale signs of an attack, including spelling errors and incorrect logos. Moreover, SAT emphasises the need to call a company directly after receiving unexpected communication to confirm if the activity is genuine.
On the business side of things, current email security is overly focused on prevention when it comes to phishing attacks resulting from data leaks like this one. They should implement a robust, layered security strategy in retaliation. This layered strategy should include real-time detection of zero-day and unique threats. By adding a real-time detection and automated remediation capability to identify and eliminate threats rapidly, we can minimise the impact of when a malicious email makes it through our defences.