Forrester – one of the world’s leading market research and advisory firms – announced late last week that its website had been hit by a cyberattack.
According to the firm, the attack was limited to research reports made available to its clients through Forrester.com. The “outside hacker” gained access to such reports after stealing valid user credentials from the website.
“There is no evidence that confidential client data, financial information, or confidential employee data was accessed or exposed as part of the incident,” explained the company in a blog post published on Oct. 6.
Based on preliminary forensic evidence, the firm said it appears that the hacker was ultimately detected and shut out of the system.
The company noted it is strengthening internal security processes and systems as it continues to investigate the incident. Meanwhile, authorities have been notified to enable law enforcement to take further action as needed, Forrester said.
“We recognize that hackers will attack attractive targets – in this case, our research IP. We also understand there is a tradeoff between making it easy for our clients to access our research and security measures,” said George F. Colony, chairman and chief executive officer at Forrester in a press release.
“We feel that we have taken a common-sense approach to those two priorities; however, we will continuously look at that balance to respond to changing cybersecurity risk,” Colony said.
The Forrester breach is a reminder to all organizations that valid credentials are a juicy target for attackers, added Travis Smith, principal security researcher at Tripwire.
“There is no need to risk noisy exploits and dropping zero days when an administrator password gives you the same level of access,” said Smith.
Forrester is among several other major financial and business entities that announced a security incident in the past month, including consulting firm Deloitte, credit reporting agency Equifax, and the U.S. Securities and Exchange Commission (SEC).