What the Biggest Data Breaches in Retail Have Taught Us about Cybersecurity

2014 Data Breaches by Industry

With the holiday season upon us, much attention turns to the retail sector, which is expected to see unprecedented activity as shoppers in a strengthening economy take advantage of seasonal deals and yet-further-expanded shopping hours. However, overshadowing the energy of the holiday shopping season, the specter of data breaches past sits more and more heavily on the minds of consumers and companies alike. As they whip out their credit cards and swipe their debit cards at millions of POS terminals this November, will the data on those cards be secure, or will they get their post-holiday statement to find mysterious charges and unfamiliar purchases?

2014 data breaches by industry

The past few years have seen hundreds of data breaches of companies large and small. The ones that makes the headlines, of course, are the ones that involve millions and tens of millions of customers. But what can be done about the security of customer information? Where are the holes? And is there any hope of a victory over cyber criminals whose only job is to find ways around and through corporate security measures?

Well, according to cybersecurity experts, there is hope of at least holding our own, but only if organizations take serious strides to implement and vigilantly maintain stringent, systematic plans to ensure that not only their systems, but those of their partners and vendors are secure from data leaks. This requires that IT security teams be properly supported and funded and that security education and awareness be a part of company culture. It’s time, they stress, for the C-suite to make data security one of their primary concerns and, given the cost of data breaches and the frequency with which they are occurring, it would seem foolish to argue.

So let’s take a look at a few things we’ve learned from some of the biggest retail data breaches in the past few years.

Lesson 1: Vet your third-party vendors

Target and Home Depot

 2013 Target data breach overview2014 Home Depot data breach overview

More details

In both cases, investigations found evidence of the data’s being sold in batches on the “dark web” within a few weeks of being taken.  The dark web consists in large part of a collection of forums and websites where criminals can buy and sell credit card information, personally identifiable information (PII), illicit substances, and any manner of illegal contraband.  Banks and cybercrime experts monitor these forums watching for indications that their customers’ data have been compromised.  It was bank security that raised the initial flag that led to the discovery of the Home Depot data breach.

A short time after the Home Depot data breach was reported,Brian Krebs, one of the foremost investigative reporters in the area of cybercrime, noted that the data from the latter data breach had appeared for sale on the same underground “shop” as the Target data had nearly a year earlier.  Investigators, he said, had found that the Home Depot registers that had been attacked were infected with a variation of the same malware that had been used in the Target attacks.  This software is designed to pull data from cards when they are swiped at an infected P.O.S. system.

So how did the malware get into the system in the first place?  In both cases, the criminals gained access to the networks through the system of a third-party vendor.  In Target’s case, it was the HVAC company that maintains their refrigerators – they had access to the Targets system so that they could monitor the units electronically.  The Home Depot, too, indicated that the thieves got in “using credentials stolen from a third-party vendor”.  Once in, they were able to exploit a vulnerability in Microsoft Windows, on which most POS systems run, to upload the malicious program.

What did we learn?

The practice of going after corporate data through vendors and subsidiaries is becoming more and more common.  Where corporations can afford to spring for huge cybersecurity operations (though many have until now chosen not to), smaller vendors may struggle to keep on top of data security.  There is, then, a lesson to be learned here for both big corporations and their third-party vendors.  The lesson? Get it done.  Organizations whose systems contain the personal and financial data of tens, sometimes hundreds of millions of customers have a responsibility to vet the vendors they work with (and the smaller companies they acquire) meticulously.  Systems must be set up not only for ensuring security protocol is followed by any vendor given access to your system, but processes should be put in place so that they are able to access only what is absolutely necessary and to check that the security measures on their own systems are robust and reliable.  Some things to look for, both in your own security protocol and in that of your vendors:

  • Are the procedures in place for granting and removing systems access to employees satisfactory and are they being followed?
  • Are security logs being routinely and consistently monitored to ensure that any attacks or data breaches are identified quickly?
  • What kind of password security protocol is in place? Are employees required to change their passwords regularly? Are they well-educated on the importance of password security, the methods criminals use to acquire login and password information, and what constitutes a secure password? Does the company use two-factor authentication? (This last may not be a ‘must’, but it is certainly a good idea.)
  • Are Bring-Your-Own-Device policies clear, comprehensive, and carefully enforced?
  • Is the connection between your networks entirely secure?  If sensitive data is being passed back and forth, do they have the capability to properly encrypt it?
  • Is their network secure on a basic level?  Do they have adequate firewalls, anti-virus, and anti-spam software?  Are their terminals secure, or can anyone with a little motivation just walk in and access their system on-site?  What do they do with decommissioned hardware?
  • What is their patching policy?  Do they have a process in place for ensuring that frequent patches from major software vendors like Microsoft are applied as soon as they are made available?

Highly regulated industries like financial services and insurance have long been advised – and in many instances required – to vet their third party vendors regularly and carefully.  In the wake of recent data breaches, it seems clear that retail organizations would do well to follow the same advice.

Lesson 2: Data protection at all levels must be prioritized

eBay

 What did we learn?2014 eBay Data Breach overview

In a report from the International Business Times following the attack, it was reported with regard to an investigation by the relevant regulatory bodies:

Of particular interest will be the lack of encryption used to protect customer names, email addresses, physical addresses, phone numbers and dates of birth. Investigators will also analyze why it took eBay nearly three months to detect the hackers, how long it took to fix the breach and how long the company waited to notify authorities and customers.

Knowing what went wrong in any situation helps to prevent making the same mistakes in the future.  With the increase in identity theft and new account fraud, we now know that encrypting PII can be as important as encrypting financial information.  We also know that data breaches can be difficult to detect if the right systems are not in place to make sure relevant data is reviewed by the right people in a timely manner.  Just like any other business process, log reviews, protocol revisions, security updates need to be included in a company’s workflow.  Not only can systems be set in place to ensure that every feasible measure is taken to protect sensitive information, but the right system can also enable an organization to integrate new protocols smoothly as new threats arise and new solutions are found.  Given the pace at which cybercrime is advancing, it has now become imperative for companies to move plans for pervasive data security systems to the front burner, and to turn the temperature up to ‘high’.

Lesson 3: Everyone has to get involved in cybersecurity

PNI data breach overviewPNI Digital Media
(vendor for CVS, Sam’s Club, Costco, Rite Aid, Wal-Mart Canada, and others)

What did we learn?

With so little known about the PNI breach, there has been much speculation by experts as to how it happened, why it was allowed to happen, and why it went undetected for so long.  While it may not be wise to give too much credence to speculation on a particular case, it can provide much insight into the overarching problems of retail data security and cybersecurity in general.

Boardroom support for Internet Security

When the news of the data breach first broke in July of this year, Brian Krebs noted that PNI Digital Media had been acquired by Staples Corporation around the same time that the PNI breach is thought to have first occurred, which seemed significant because Staples itself had suffered a breach that lasted some six months and exposed more than a million customer credit card records in mid-2014.  While this may or may not stand as evidence that the company is giving inadequate attention to cybersecurity, it is the case that the importance of boardroom support for internet security efforts is at the forefront of security experts’ concerns.

This has been highlighted even more by the recent breach at Experian that exposed the personal information – including social security numbers – of 15 million T-mobile customers. During his investigations of that case, Krebs interviewed several security experts who had left the Experian security team because the company refused to dedicate adequate resources to securing the extremely sensitive information stored in the credit bureau’s digital files.

Following the massive breach at Target in 2013, similar concerns were raised as the company’s CIO resigned and a new CIO, CISO, and CCO were sought to take her place.  Whether more leadership at the top is a solution to the problem remains to be seen, but the need for the C-suite to have a better understanding of and keep a more watchful eye on its digital security protocols is becoming clear.

Employee education

One of the most popular methods of infiltration for cybercriminals is through phishing.  It is a very simple thing to find out who works for a given company and in what department.  With a little social media skulking and seemingly-benign email contact, cybercriminals are able to obtain much of the information they need to access login and password information that can grant them broad access to corporate networks.  In this day and age, employees must be well informed of the methods criminals use to obtain sensitive information.  From clerical workers to the c-suite, everyone needs to understand basic preventative measures like how to recognize a phishing attempt and how to create and maintain secure passwords – and corporate policy needs to enforce for them the necessity of following security protocol.

Professional expertise from outside the company

Another recurring theme as companies seek to keep on top of cybercrime prevention is the question of whether data security is a task that should be left to the experts.  Even for very large companies that are able to maintain security teams that can operate much like an independent security contractor might, the reality is that those teams often struggle to get the resources they need in an environment where their success may not be the top priority.  In contrast, a security agency relies entirely on this strength to remain in business – they have no other task.  External agencies are able to be objective about and prioritize security while drawing on a broad range of experience and deep well of expertise and knowledge.  This is, in fact, one of the major benefits of moving to the cloud, presuming the right service provider is chosen.  A reputable cloud host recognizes that the security of its servers and its ability to protect the data entrusted to it is pivotal to its continued existence.  For this reason, cloud servers may well become some of the most secure places to store data into the future.

Government anti-cybercrime measures

Experts are divided on whether there is really much governments can do to stem the tide of cybercrime, which by its nature operates regardless of national borders.  There are, though, many who believe governments will have to become involved, and soon, before the cost of cybercrime outstrips the benefits of conducting business in cyberspace.  The call has been raised for an international governing body that would not only work to stop cyber criminals, but would regulate security measures so that companies around the world would be required to employ a strong baseline of prevention and detection methods.

Individual cyberhygiene 

Finally, it is time for consumers to accept that they will have to step up their personal online protection if they are to keep their financial and personally identifiable information (PII) safe from criminals.  Just as the time once came when folks began to lock their doors and keep the kids close to home, the time has now come to adopt certain precautions in the virtual world.  This will mean that certain inconveniences like using a different password for every online service and storing those passwords in a secure app or, better, their own memories, must become a matter of habit.  Credit card and loan offers that could once be discarded as junk mail now need to be shredded or otherwise disposed of securely and credit statements should be reviewed every month.  Individuals must be diligent about not opening emails from unfamiliar addresses or clicking on unknown links.  Even phone calls that seem to come from benign solicitors or even familiar institutions like banks and workplaces can be phishing attempts these days.  The more consumers are educated about how to protect themselves from fraud and identify theft, the fewer claims a company has to cover and the less a store loses on fraudulent purchases that no one – not the credit card holder, the credit card company, or the credit card fraudster – is going to cover.  What’s more, a customer who knows how to protect themselves will have greater confidence in the security of their information and a better informed consumer will always be a benefit to the market.

The time has come for everyone to recognize cybercrime as one of the major threats to economic security facing the individual and the corporation in today’s modern world.  We may not yet know how to shut down cybercriminals completely, but there remains much to be done before we can say as a community that we have done all we can.

Cover image: “System Lock” by Yuri Samoilov, via Flickr, some rights reserved

Source: Workflow Studios

Reactive -vs- Proactive Impact

The impacts of Reactive -vs- Proactive cyber security is very real!

Reactive -vs- Proactive; is there really a benefit to business? After correlating years worth of industry data the business and consumer impacts are quite clear but illustrating this information is difficult. We have created this infographic to help you make the business case for being proactive about security. After all … Lazarus Alliance is Proactive Cyber Security®!

Reactive -vs- Proactive Cyber Security Impacts

What should be painfully obvious is that by taking proactive steps you avoid about 96% of all breach potential. While there is no such thing as a perfect solution you will be significantly less susceptible to cyber crime and not as likely to be in a reactive response.

While holistic governance in security, privacy, risk and cyber-law is increasingly complex and you are charged with delivering GRC guidance to your organization that they understand. The security industry has been conditioned to accept the “inevitable breach” and engage a reactive incident response plan. We have changed that paradigm in part with ITAM. The IT Audit Machine gives you everything you need to succeed. The Americas, Europe, Asia, MENA or wherever strong IT security policies and holistic GRC is needed and we deliver the foundation your company needs.

Why should only big business be able to afford world class technology security executive representation? You retain attorneys and accountants to perform complex tasks and represent you; retain technology security executive services and subject matter experts just the same!

Lazarus Alliance brings internationally recognized expert technology security executives to work for you. Your Personal CXO ® is the global hot-spot for retaining the services of the best and brightest subject matter experts in Cyberspace Law, IT Security and operations, IT Risk and Governance, Compliance, Policy and more!

Our clients range range from start-ups on up to multinational corporations from all business sectors from all around the world. We can help your organization too! If your company depends on technology for the success of your business; and what company does not in our technically connected global business community? You need qualified proactive cyber security assistance to implement effective controls and countermeasures.

Lazarus Alliance Cybervisors® are here to help!

The alternative may be that your company is on the next industry breach report and you are stepping down from your position because you could have done more to protect your company.

Secure in 60 Seconds

Secure in 60 Seconds

While you slip into that Thanksgiving Day coma, take 6o seconds to beat holiday crime and stay secure. Nearly half of holiday shopping this year will be done through online merchants; about 46 percent according to the National Retail Federation. That is up slightly from last year and is another sign that U.S. consumers remain very comfortable with shopping online.

Secure Online Shopping

As we enter peak-season for retailers, no doubt, your email inbox is already filled with holiday themed messages, as multitudes of retailers work to win your heart and your pocketbook on the big, post-Thanksgiving Day shopping day.

As you formulate your holiday spending strategy, here are a few simple shopping tips that may help you protect yourself from criminals both online and outside:

  • Beware of phishing schemes. Just because an email appears to be legitimate doesn’t mean it is. Phishing is when criminals target large numbers of people through email, attempting to obtain private and personal data and even cash. Such emails may look somewhat legitimate, but even without close scrutiny there are often obvious clues they’re not. For example, misspelled words and poor grammar are good indicators an email was sent by a scammer. If you receive one, just delete it. Do not open any of the accompanying attachments or clicking on included links which are common vectors for criminals to take control of your computer and ruin your holidays.
  • Stick to retailers you know and trust. You may be tempted by the low prices offered by a company you’ve never heard of, but will they help you out if the item you order isn’t what was described on their website or never arrives? And if the business turns out to be untrustworthy, remember you’ve also given them your payment card number and other personal information. Make sure your credit card company offers buyer fraud protection which costs you nothing and might just save the day!
  • Use a credit card, rather than a debit card. When you choose your debit card over your credit card, you are exposing yourself to more risk. A criminal can clean out your checking account in one fell swoop with your debit card. To add insult to injury, may people also have over draft protections associated with a debit card linked to draw directly from their savings account. A criminal could completely clean you out within minutes!
  • When shopping online, ensure the site is secure. Look for sites with URLs that begin with HTTPS, rather than HTTP. This technical designation of HTTPS creates an encrypted private connection between your browser and the website you’re visiting, so that the information exchanged cannot be viewed or modified by an outsider.
  • In the physical world, make sure packages arrive when someone’s home to receive them. Thieves have resorted to following delivery trucksand taking items left on front porches when no one’s home. Consider having your items delivered to your work address or to a friend who’ll be at home when the doorbell rings. Also installing security cameras help identify criminals if professionally installed.
  • When in doubt, ask someone knowledgeable about cyber security. Most security professionals are happy to lend some advice free of charge.

These simple steps cost you nothing and do not require the services of the multitude of so-called identity theft companies out there. You can do more to secure and protect yourself faster and cheaper than anyone and all it takes is a little common sense.

Now … from everyone here at Lazarus Alliance, enjoy the holidays!

Lazarus Alliance is Proactive Cyber Security®