British high street giant Debenhams has become the latest retailer to be hit by a data breach as it was reported that thousands have been effected by card-stealing malware.
Around 26,000 customers of Debenhams Flowers website personal and financial details such as payment information, names and addresses stolen during the breach, which took place between 24 February and 11 April. The hackers had access to the internal systems at Ecomnova, the third-party company that operates the Debenhams Flowers website which is now currently offline.
Organisation’s that use third-party suppliers must be aware of the security measures in place and must ensure they meet certain standard. This the view of Stephen Coty, chief cybersecurity evangelist at Alert Logic who says, “This really stresses the need to make sure that your third party suppliers are meeting the same security requirements that you have set for your business. Regular audits of your supply chain are recommended, not just accepting a questionnaire as their proof of compliance to your security standard, but actually perform full penetration test and code audit to confirm that the supplier is doing their part to maintain the integrity of your data.”
“It’s an unfortunate fact of life for security teams that an organisation’s data is only as secure as the weakest link in the chain, which is often smaller third-party vendor organizations”, added Dr Anton Grashion, managing director of security practice at Cylance. He continues saying that “it’s absolutely critical to evaluate information security risk when choosing and onboarding a vendor, as well as to outline minimum security practices and stipulate liability in agreements with those organisation’s.”
All those that have been targeted have been notified and have been advised to check for correspondence from the company if you have used the florist service. The Information Commissioner’s Office (ICO) has also been informed.
Commenting further on the news are leading IT security experts from Imperva, Lastline & NuData security.
Itsik Mantin, director of security research at Imperva, feels hackers stop at nothing to look for flaws in web systems saying, “vulnerabilities exist in nearly 100% of web applications. “Hackers constantly and continuously scan the internet, looking for web applications that don’t have adequate protection. Itsik also advises that users should “keep a close eye on your bank statements, watching out for anything unusual, or better still, tell your bank and request a new card.”
Marco Cova, senior security researcher at Lastline believes “every breach reveals data that criminals can use to launch additional attacks, either by the initial attackers or other criminals to whom they sell the compromised data. They merge data from multiple sources, building dossiers on potential victims, including spear phishing targets inside corporations. Every breach is a reminder of the importance of strong authentication measures in both personal and professional devices, networks, and web applications. The blurring of personal and professional use of enterprise assets such as laptops underscores the criticality of protecting organizations from the network core to the outer edges against advanced persistent threats and evasive malware that could be introduced as a result of an infected personal device targeted as a result of a prior data breach. Data breaches provide a distribution hub for malware for years to come.”
Robert Capps, VP of business development at NuData Security states that, “any breach of personal information is of extreme significance and concern. With just a name and email address, there is an outsized risk to consumers from targeted phishing and malware attacks. Stolen consumer data can be combined with other personally identifiable information (PII) from other hacks and breaches, to amass even more detailed profiles of users that are traded and sold to other hackers and fraudsters. These bundles of data contain much more complete information about specific individuals providing greater opportunities for fraud to take place. For example, with enough data collected from separate breaches, a fraudster can gain access to enough financial and personal information to enable the successful application for a new credit card or loan, or even takeover of an existing consumer financial account.
He continues saying, “Behavioural analytics can provide victims of a data breach with an extra layer of protection even after a hack has occurred. We need to put a stop to these fraudsters in an entirely passive and non–intrusive way by building barriers to the fraudsters. We do this by learning how a legitimate user interacts with the online world around them, in contrast to a potential fraudster who uses valid consumer information stolen from intrusions and data breaches. Passive biometric technologies are highly accurate and impersonation resistant, making it possible to predict and prevent fraud from occurring in real-time – without interrupting a user’s experience.
“The only way we are going to stop these breaches is to devalue the data the fraudsters are going after. Passive biometric technology is being used by some large banks and merchants that can verify the true user even when valid stolen credentials are presented. Once these dynamic behavioural authentication solutions are more widespread identity thieves will have a much harder time operating in an environment where the data they go after is useless to them. We look forward to seeing online identity thieves go out of business.”