Last month we saw more and more organizations fall victim to data breaches. The timing may have almost worked to the breached organizations’ benefit as we could barely start to talk about an incident at one institution before another one hit the headlines. Below is an overview of some of the larger breaches and what we can learn from them:
Saks Fifth Avenue and Lord & Taylor
The high-end retailers suffered a payment card breach with over five million card numbers used at the department stores already, or soon to be, found for sale on the dark web. Hackers targeted point of sale systems and placed malware on the organization’s network that remained for almost a year (May 2017 through March 2018). Officials suspect that a phishing e-mail, opened by an unsuspecting employee, was used to launch the malware and infect the systems. Along with an emphasis on continued staff education to prevent successful phishing attempts, the other important lesson to be learned from this attack is that that compliance is not security. Although all of the Saks and Lord & Taylor stores were using chip-enabled EMV devices for fraud protection, they had not utilized other security measures like segmentation or encryption. . Once the hackers were able to infiltrate the network, the payment card numbers were in clear text and easily accessible.
Best Buy, Sears, and Delta Air Lines
Customer payment card information was exposed after a third-party contractor the organizations had employed for online chat/support services, 7.ai suffered a malware attack. The window was relatively short September 26 through October 12, 2017, and only customers who were using the chat feature at the same time as they were manually completing a purchase were affected.
This is a good reminder that even though the breach may be the fault and responsibility of a third-party, the reputational fall out may still impact the customer-facing organizations. Remember that PCI DSS Requirement 12.8.2 stipulates that you should have an agreement in place whereby service providers acknowledge responsibility for cardholder data security not only if they are directly involved but also “…to the extent that they could impact the security of the customer’s cardholder data environment.” Ensure that your vendor management program includes a thorough review of the vendor’s processes, solutions, and any subcontractors they utilize. It is also important to ensure contract terms outline who is liable in the event of a breach and who will be responsible for covering the costs.
The travel agency announced a security breach of its systems on March 1st, in which nearly 900,000 credit card numbers were exposed. Between October and December of 2017, hackers accessed consumer data on a legacy system housing over two years’ worth of information. The lesson learned here: know where your data is. If you have sensitive information residing on legacy systems, consider taking that system offline so it is not accessible to the outside world. Not an option? Use robust security measures to protect the data just as you would any other system, including regular and timely updates to the latest patches to protect against known vulnerabilities.
The restaurant website leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was taken offline. Anyone who signed up to order food online could have had their information leaked.
This is an example of how many organizations harvest personal data as part of their marketing strategies and loyalty programs, but often take security for granted. The worst part of this story – a security researcher actually warned Panera of the exposed information eight months before the organization formally recognized the issue and remediated the vulnerability. Lesson learned here – if you know something is broken, fix it! Have a formalized incident response plan, along with well thought out updates that can be provided publicly confirming that your organization is working to address any identified issues.
Last but not least, hackers breached MyFitnessPal, a popular fitness app and website, compromising personal information of almost 150 million users. Perhaps the best lesson learned from this incident is that use of enhanced security can reduce the data that is impact. Under Armour was doing several things right, including segmenting payment information from profile information, which spared any payment card data from being compromised in this breach. Under Armour also used “bcrypt” for the user passwords, which makes it harder for hackers to crack hashed passwords. There was still the risk for passwords to be exposed, so Under Armour quickly advised all users to change their passwords on the MyFitnessPal site, as well as any other sites that use the same username. To their credit, Under Armour did not hesitate to notify customers rapidly after discovering the intrusion; customers were made aware only 4 days following discovery.
These breaches are important examples of the types of incidents that may come with harsher consequences once the General Data Protection Regulation (GDPR) goes into effect in May. You do not want your organization to be the next example in the headlines (or the first example under GDPR), so use these events as an opportunity to shore up your network defenses and verify you have the appropriate security controls in place to protect all types of sensitive information.
Some additional guidance from Security Advisor team below:
[King]: Defining risk is always a challenge for institutions. Using these real world examples, both of what went wrong and what worked well in protecting data and responding to compromise, institutions can develop and improve their own security posture. Institutions can reduce the likelihood of compromise and develop an appropriate incident response plan by focusing efforts on areas proven to impact security and manage reputational risk.
[Hobby]: These examples bring to mind the old adage, “an ounce of prevention is worth a pound of cure.” We’re all busy. We all have a myriad of demands competing for our attention. Taking the time to give some of our attention to assessing risk and putting measures in place to reduce that risk and respond to issues is worth it. This list of breaches and lessons learned also serves to demonstrate that much of security is just good solid information technology operational practices: patching, change control, timely response to problem reports, etc. Since I started with an old adage, I’ll end with a new one: “effective security is the sustained ability to pay attention”.