Tesco.com breached with hackers leaking thousands of passwords
Tesco has closed down over 2,000 customers’ accounts after a folder containing email addresses, passwords and voucher balances were posted online. The supermarket giant said that the data had been compiled by hackers using details stolen from other sites. The unidentified hackers are thought to have trawled lists of previously hacked accounts from other sites for matching log-in and password details for Tesco.com.
Lancope CTO, Tim ‘TK’ Keanini, said that these events are about as hard to predict as the sun rising tomorrow morning. “The problem is not the fact that cybercriminals break into these networks, the problem is that they can go undetected while they figure things out and ultimately exfiltrate the files without being seen. Having eyes on a popular text-sharing site is not an effective method of detection by anyone’s standard. In a recent survey performed by the Ponemon Institute on incident response, companies using the operational metric of Mean Time To Know (MTTK) was at a miserable 23% so it is just far too easy for cybercriminals these days to operate effectively.”
“This is not Tesco’s first security incident and let’s hope they are experienced enough now to have in place the right telemetry for a timely and precise investigation – because the time to put up the security camera’s is not after the incident if you know what I mean. Given the way the reports say the incident was discovered, it does not seem that they have the right technology in place when facing this advanced threat. Sadly, most retailers do not.” he added.
Calum MacLeod, VP of EMEA at Lieberman Software Corporation said: “I would say that Tesco is typical of retailers who continue to invest in the minimum security to keep auditors happy and invest in technologies that don’t solve real problems but tick compliance boxes. There’s no point in buying technology that never gets implemented either because it is not fit for purpose or ends up costing astronomical fees to implement. It’s time companies started to realise that too many vendors see customers as cash cows who end up discovering that 20% of cost is the product and 80% is locked in professional services. Until these organisations recognise that the fundamental component of securing themselves is controlling their privileged credentials and continuously monitoring to detect anomalies, everything else they do is irrelevant.”
Keanini concluded “If these retailers would spend half the time on cybersecurity analytics as they spend on consumer analytics predicting buying patterns, the cybercriminals would have a very hard time being successful as their behavior could be predicted and retailers would have more effective defenses. This I believe is evidence that retailers do not feel like cybercrime is a part of doing business yet but how many more times will they need to be compromised before incident response is part of the business process?”
In a statement to the BBC, Tesco said: “We have contacted all customers who may have been affected and are committed to ensuring that none of them miss out as a result of this.”
