After US retailer Target was the victim of a massive breach at the start of this year, UK retailers would not have been breathing a sigh of relief at the news in case the same thing befalls them.
As it turns out, one of the UK’s premier retailers has suffered a data breach with 2,239 loyalty card holders’ details published. Being in the headlines of the security press is nothing new for Tesco, after it was revealed that it sent passwords in plain text in 2012 and subsequently faced an investigation from the Information Commissioner, it faced a similar problem last week.
As we reported, Tesco said that the data was stolen from other sites after hackers were believed to have trawled lists of previously hacked accounts from other sites for matching login and password details for Tesco.com.
Hunt said: “The problem is that Tesco’s security profile makes this sort of attack simple. Their approach to security provides numerous avenues for attackers to easily verify the existence of accounts and then establish their passwords.”
Hunt, who set up the aggregation website haveibeenpwned.com to allow users to check their email address against 160 million breached records, said that the accounts did not come from any of the sources he had worked with.
“What would concern me if I was in Tesco’s shoes is that clearly someone has a workable attack vector that’s exploiting their accounts. Whether they’re brute forcing accounts one by one or simply testing for reused credentials from other breaches, the fact remains that accounts have been compromised en masse. I would not for a moment assume that the extent of the damage is only a couple of thousand accounts, that’s almost certainly only the tip of the iceberg,” he said.
“Many of the serious security problems that Tesco had in mid-2012 remain both in terms of discrete risks I called out (such as password strength), and as a cultural approach to security in general. There are still numerous easily observable risks discoverable simply by browsing the website, who knows what might lie beneath that and is readily discoverable with a little probing.”
Trey Ford, global security strategist at Rapid7, said that this highlights the dangers of people reusing passwords and other security credentials across multiple accounts, and while it does not indicate that Tesco was breached, this was about consumer behaviour. “People continue to reuse passwords and other credentials across multiple sites, making it easy for attackers to compromise them. It’s essential to learn the lesson from this incident before the cost becomes greater.”
Going by some of the opinions that appeared in my inbox, the blame should be laid at the feet of the retailer. Tim ‘TK’ Keanini, CTO of Lancope, said that if retailers “would spend half the time on cyber security analytics as they spend on consumer analytics predicting buying patterns, the cybercriminals would have a very hard time being successful as their behaviour could be predicted and retailers would have more effective defences”.
Elsewhere, Jason Hart, vice president of cloud solutions at SafeNet, said that this should serve as a reminder to all retailers of the threat posed by data breaches as this is not the first time that super
markets have fallen foul to a cyber attack.
Calum MacLeod, VP of EMEA at Lieberman Software Corporation, said that Tesco is typical of retailers who continue to invest in the minimum security to keep auditors happy and invest in technologies that don’t solve real problems but tick compliance boxes. “There’s no point in buying technology that never gets implemented either because it is not fit for purpose or ends up costing astronomical fees to implement.”
As for the victim, well apart from us the citizens, the retailer said that it closed all of the affected accounts, improved security and now requires customers to use their unique Clubcard number to login. The affected citizens, whom I suspect is a small percentage of the total number of Clubcard holders, will receive some benefits but will be left with a sour feeling in their mouths at the apparent misuse of their data.
As shoppers and consumers we are encouraged to sign up for accounts and loyalty cards with retailers, but if our data is not secure then would we continue to do so? For the retailers, these are likely to create databases of hundreds of thousands, if not millions of users who sign up for an account and assume it is safe. Retailers we have put our trust in you, but we are feeling decidedly unsafe.
