2018 is young, but already companies like Orbitz, Panera, Saks Fifth Avenue, Delta, Best Buy, and others have suffered data breaches we can all learn from.
No organization wants to find itself in the tough position of disclosing a data breach. The consequences can be both immediate and long term, for the company as well as for its customers. Fallout can include damage to the company’s value and reputation, potential regulatory fines, lawsuits, and victim recompense such as paid credit monitoring. It can be a painful experience for anyone affected or involved, but there can also be a silver lining. If details about the source of the data breach are shared, other organizations can make sure they don’t suffer a similar compromise.
To that end, here are lessons that can be learned from six big data breaches that have already made headlines in 2018.
On March 1, Orbitz discovered that someone had gained unauthorized access to one of its legacy travel booking platforms. The travel fare aggregator service believes the attacker had the permissions required to view sensitive information including customers' names, dates of birth, phone numbers, email addresses, billing addresses, gender, and payment card information. No evidence was found to suggest the incident exposed customers' passports, travel itineraries, or Social Security Numbers.
According to numerous reports, those responsible for the breach exposed the details of 880,000 customers' payment cards between October 1, 2017 and December 22, 2017.
This incident highlights the importance of replacing outdated legacy software and systems. These systems can present a significant security risk, especially when they stop being supported and no longer receive the latest security patches and updates. Orbitz is far from the only organization to suffer for this mistake. Outdated technology and software was also at least partly responsible for the 2014 hack against the U.S. Office of Personnel Management (OPM) in which black-hat hackers are thought to have exposed personal data for millions of potential employees of the federal government.
Funding for replacing legacy systems isn’t always easy to come by, but it’s important to point out the hidden dangers of these systems and to put a dollar amount on that risk. Research suggests that for every one percent of spending that organizations shift from maintaining legacy systems to buying new ones, they can expect a five percent reduction in security incidents.
Photo by Mike Mozart
On April 2, Brian Krebs broke the story about a flaw in the website for the Panera Bread chain of restaurants. The weakness essentially leaked the plaintext data of customers who signed up for an account to purchase food online using panerabread.com. The exposed information included customers' names, email and physical addresses, dates of birth, and the last four digits of their payment cards.
Krebs wrote his story after receiving a tip from security researcher Dylan Houlihan, who discovered the vulnerability and tried reporting it to Panera in August 2017. After the company insinuated that Houlihan himself was a scammer, Panera's security team members took the vulnerability and apparently did nothing with it for eight months.
After the story broke, the company tried downplaying the weakness, saying that it had fixed the issue and that it only affected 10,000 customers. Further investigation by Krebs found that the company had not patched the flaw, however, which is believed to have actually affected 37 million customers.
The breach of Panera Bread's website should serve as a reminder to all organizations about the value of conducting regular penetration tests of their web-based assets. Companies should also be open to working with security researchers on responsibly disclosing bugs, including through vulnerability disclosure frameworks. This willingness signals that organizations care about the security of their customers' information and will work with external researchers to strengthen it.
Photo by Ronald Woan
Fin7, a financially motivated threat actor with a history of targeting retail and hospitality organizations, went public with this data breach on March 28 when it posted a new sale to an underground market hub. The sale, called "BIGBADABOOM-2," advertised the details of five million payment cards for sale. Security firm Gemini Advisory took note of this sale and worked with financial institutions to trace the information back to Saks Fifth Avenue and Lord & Taylor.
According to the security company's analysis, the breach occurred in May 2017 and affected all Lord & Taylor as well as 83 locations of Saks Fifth Avenue.
As of the publication of Gemini Advisory's findings, Fin7, also known as JokerStash, had released the details of 125,000 cards stolen from the two luxury department stores. The firm wrote that it believes the criminals will gradually release the remaining information over the next few months.
It was a short time thereafter that one of the affected shoppers filed a class-action lawsuit against Hudson's Bay Company, owner of the two affected luxury department store chains.
First and foremost, this incident highlights the need for companies to institute stronger malware precautions on their point-of-sale (POS) systems. But because Fin7’s sale listing for the stolen data claimed to offer “track dumps” of the credit cards, some experts believe there may have also been another simple way this breach could have been avoided. The mention of track dumps suggests the data was obtained via swipe-card transactions. By insisting on chip and PIN transactions instead of letting customers swipe their credit cards, the data could have been better protected.
Photo by Andrew W. Sieber
On April 4, Sears Holding Corporation and Delta Airlines both announced data belonging to hundreds of thousands of the companies’ customers had been exposed via a data breach at 7.ai, a third-party service that provides online chat support.
According to a statement from Delta, the breach is believed to have occurred from September 26, 2017 to October 12, 2017 and may have exposed credit card information for an undisclosed number of customers. The airline stressed that no other information, such as passport, government identification, or SkyMiles information, was impacted. Sears estimated that credit card information for less than 100,000 of its customers may have been exposed during the breach.
A day later, retailer Best Buy announced a small portion of its customers may also have been affected by the breach.
This incident is the latest reminder that any organization’s security is only as good as its partners’ security. Not only can mistakes by third-party service providers expose customer data; they can also serve as entry points for attackers and malware campaigns. Perhaps the most infamous example is the 2014 Target breach, which was traced back to network credentials stolen from a third-party HVAC company.
Companies should conduct due diligence when bringing on third-party service providers and make sure proper controls are in place to limit and secure what they have access to.
Today's criminals are using an increasingly advanced set of tools and techniques to perpetrate breaches. To learn more about how cyber attacks are evolving and how Barkly can help protect your network, see the 2018 Malware Trends Forecast.
David Bisson is an infosec news junkie and security journalist. He works as Senior Content Manager, Associate Editor for Tripwire's "The State of Security" blog, Contributing Editor for IBM's Security Intelligence, and Contributing Writer for Barkly, Palo Alto Networks' Security Roundtable, Gemalto, Venafi, Zix Corp, AlienVault, and others.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.