800-214-0957 info@blackbottleit.com
Lessons From the Breach Hotline

Lessons From the Breach Hotline

Email Compromise Trends The Highest on Breach Hotline: Lessons Learned


Breaches happen to ALL businesses.  Of the calls into the Black Bottle IT  Breach Hotline, 33% directly resulted from email compromise and user error! Unsurprisingly, ransomware was a close second that resulted in calls to the Breach Hotline. 

Most often, scammers go right for the finance employees and their emails, and they use phishing or malware to access a finance employee’s email account, such as an accounts receivable manager. Then the scammer emails the company’s suppliers fake invoices that request payment to a fraudulent bank account.

Types of Breaches You Should Know About


  • Backdoor Attack: A backdoor is a malware type that negates standard authentication procedures to access a system. As a result, remote access is granted to resources within an application, such as databases and file servers, allowing perpetrators to issue system commands and update malware remotely.


  • Printer Cyber Attacks: Hackers can connect your printer to a botnet, which can be used to steal your data and carry out cyber attacks.


  • Spoofing Attacks: When someone or something pretends to be something else in an attempt to gain your confidence, get access to your systems, steal data, steal money, or spread malware.


  • User Error: An unintentional or lack of action results in a data breach; this category includes activities like downloading infected software and keeping a weak password.


  • Email Account Compromise: EAC is not limited to phishing and malware emails to compromise victims’ email accounts, gaining access to legitimate mailboxes.


  • Ransomware: During the first half of 2022, there were an astonishing 236.1 million ransomware attacks worldwide. The top five industries impacted include Banking and Financial Services, Education, Energy and Utilities, Government, and Manufacturing.


  • Third-Party Compromise: Third-party risk is the likelihood that your organization will experience an adverse event: data breach, operational disruption, or reputational damage. A third-party attack occurs when a criminal infiltrates your system through an outside partner or provider with access to your systems and data.


  • Data Leak: A data leak is when sensitive data is accidentally exposed physically, on the Internet, or any other form, including lost hard drives or laptops. This means a cybercriminal can gain unauthorized access to sensitive data without effort. The consequences may include the destruction or corruption of databases, the leaking of confidential information, and the theft of intellectual property.

What Can Businesses Do to Protect Themselves

According to Michael Valentine, Black Bottle IT’s Compliance Security Expert, the businesses that called their breach hotline over the last 24 months did not have monitoring; some only had Anti-Virus or nothing at all. 

Having an incident response plan to manage third partie
s is also a must. While the benefit typically outweighs the risk for many third-party relationships, partnering with third parties increases your attack surface risk. At Black Bottle IT, we answer third-party relationships as it is not necessarily “if” but when an incident will occur and how severe it will be.

Human error continues to be a concern.
Black Bottle IT  and industry experts agree that Cybersecurity training should occur about two to three times per year — or almost every four to six months. One of the most common reasons security training programs fail is a lack of adequate planning and effort on behalf of organizations.

Tools alone don’t do the trick. Implementing multi-factor authentication, or MFA, across all devices and updating software is necessary. We alleviate businesses’ pressures, such as assessing and remediating against new attacks, protecting their organization against data theft,  addressing skills shortages, and filling resource gaps.


Contact Black Bottle IT today for a no-obligation Cyber Risk Gap Assessment. 

The Breach: Part 4

The Breach: Part 4

The Breach – Part 4


And the Story picks up where we left off here.

Date of Discovery

All along the way, third-party companies were lining up with bags opened, hoping to get them filled with “incident response” money.  Most of them were trying to create some real sense of urgency to engage and take action.   I never fell for the high-pressure tactics; I wanted to get some options, evaluate the risks, and make an informed decision.  However, in the days that followed, the attorneys started educating us in the generalities of cyber statutes.  Most of them had a requirement to respond with their timelines after the “date of discovery.”  This was the only timeline that mattered.  So, we had time, but much, to rationally engage third-party forensics to a specific scope of the data breach so that we could formulate a responsible response plan.

250 Records Lost – What A Relief

After sending the forensic team copies of the hard drives from machines in scope, we had many calls with the team. After their investigation, they thought we could have lost about 250 records of personal information.  At first, it was a relief, as it could have been much worse.  But shortly after, I started to realize that their analysis was speaking in hypotheticals.  The words beings used were “we think,” “they might have,” “it possible,” rather than more explicit language.  So, I started to understand that they didn’t know, but the forensics team advised me on the potential risk of what was accessible to the cyber attackers.  After this call, we had a pretty good idea about the size and scope of the attack.  At this point, I was finally able to provide some tangible details to the stakeholders of the company.  Until now, the information I had was all hypothetical; now, we had some excellent news to act on. 

The First Invoice — Yikes

A few weeks into this saga, the Company received its first invoice from the Data Breach Coach (attorneys) and the forensics company.  Let’s back up. We engaged this firm because we had access to them through our insurance coverage.  And, we received about 60% more financial relief from all the expenses if we used the insurance companies’ providers rather than just find our resources.  So, naturally, we engaged the providers recommended by our insurance company.  But, there was a limit to what the coverage would allow for. At first, I thought the coverage was way more than enough until the first invoice arrived.  The hourly billable rates were so high, and I felt they misplaced a decimal point.  Our first invoice ate up around 35% of our allowed coverage.  I needed to make sure the Company was using its coverage limit wisely.  The Data Breach Coach and forensics team afforded plenty of opportunities to do work and eat up our remaining coverage. 

The Response

After the scope of the event had been determined, it was time to work on the response.  The legal team briefed us on the types of actions that we needed to take.  First, we needed to determine what states the impacted parties were residing in.  Each state has its reporting requirements when a data breach involves personally identifiable information.  Some states even require credit monitoring and other services to protect individuals from identity theft.* I quickly realized that the attorneys understood these requirements and would be an extremely valuable resource.  They took on crafting notification letters to 15+ states on our behalf and having guidance that his juncture of the story was very comforting.  I understood our risk and felt comfortable we were doing the right things.

*note — These requirements are now commonplace in most states, but during this time, these requirements were not the norm

Our MSP Should Know How To Help Us Remediate… Not So Fast

At the same time our talks with the attorney and forensics, the Company was actively trying to remediate the root cause of the cyber attack.  We were confident we had stopped the attack.  But, verifying we had no lingering effects of our attack proved harder than we thought.  We reach out to our MSP for advice and assistance.  We planned a weekend to come in, install advanced cleaning tools, and clean every machine in the building (over 100).  We only completed the task to find the infected device (that was cleaned) with some unrelated malware. We scheduled another weekend to re-clean all the machines again.  After the 2nd round of cleansing, the malware was found again.  It was then I realized our MSP was not equipped to handle our situation.  To date, they have served us well, but the problem overmatches us.  In summary, they were not security experts, so we needed additional support.   

The moral of this story, Managed Service Providers, are good at traditional things, procurement of new hardware, architecting new infrastructure, end-user support.. etc.  But, cyber security experts were not.  Through lots of activity and a few 3rd parties, we could get our environment clean and remove any remnants of the attackers.

Final Part 5 is coming soon.



About the Author:

This blog was written by John Hensberger, Managing Partner of Black Bottle IT.  Earlier in his career, John was also part of a company that experienced a cybersecurity breach. That experience fueled his passion for assisting other companies with their cybersecurity needs to mitigate their risk. As Technology Executive and Cybersecurity Advisor, John was recognized as the Pittsburgh CIO of the Year, 2014.  Connect with John here.


My Breach Story: Part 1

My Breach Story: Part 1

The Breach – Part 1

I’m not sure how many cyber security professionals have been on the receiving end of a data breach and had to navigate their way through it.  But, part of my passion for this industry was born in my experience.  I was a typical IT Manager, supporting a companies software and infrastructure.  They had a few on-site IT professionals, and some  outsourced partners, and were focused on growing revenue, operational efficiencies, and doing more with less.  The Company had what I’d consider typical security tools in place.  A firewall with IP blocking and blacklisting, a modern AV/Anti-Malware agent, email security tools, etc.

The Call


One typical day, I’m at a lunch meeting with the CEO at Panera.  I got a call from my IT Manager since I was at lunch with the CEO. I wanted to stay focused on our conversation, so I ignored the call.  Immediately following I got an SOS text to call her ASAP.  This was not like her, so I knew something needed to be addressed, so I excused myself from the CEO and stepped outside to call her back.  I could sense a little panic in her voice, so I immediately asked her “What’s wrong?”.  She tells me that they received a call from the FBI, stating that an agent would be on-site the next morning to discuss a cyber security incident and that IT leadership and any 3rd party related to infrastructure should be present.  I paused, and being somewhat skeptical, I said, call the FBI office and verify the information provided (thinking it was a scam call).  She said, I already did, and it’s real.  After returning the table, the CEO asked me “What’s wrong?”, I relayed the information, and his first question was  “Is this something that could put the company out of business?”, to which I replied, “I don’t know yet”.  This was the beginning of a very long and hectic three months.

FBI On-site


True to their word, the FBI showed up the next morning, and we had all the necessary players around the table to ask questions and determine the scope of the situation.  Before we could open our mouths the FBI proceeds to tell us that he’s not even a cyber crime agent, he’s a kidnapping/ransom agent.  That he doesn’t know anything about  cyber crime, and his job is to read us the information about the incident.   So, he begins and reads a document that says the FBI had been monitoring some bad actors in eastern Europe and that our Company was 1 of 30 companies transmitting data to foreign IP addresses.  After reading the statement, he gave us the specifics of which IP addresses were in scope.  We start asking questions, to which he simply says “My job was to inform you of this activity, if you need more specifics, here is a card of a cyber crime agent that might help you”.  We shake hands, the meeting is over.

Continue to Part 2



About the Author:

This blog was written by John Hensberger, Managing Partner of Black Bottle IT.  Earlier in his career, John was also part of a company that experienced a cybersecurity breach. That experience fueled his passion for assisting other companies with their cybersecurity needs to mitigate their risk. As Technology Executive and Cybersecurity Advisor, John was recognized as the Pittsburgh CIO of the Year, 2014.  Connect with John here.