Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

4/5/2018
11:05 AM
Dawn Kawamoto
Dawn Kawamoto
Dawn Kawamoto
50%
50%

Massive Data Breaches & Data Leak Hit Retail Industry in 1-2-3 Punch

Panera Bread, Hudson Bay and Under Armour all took it on the chin within the last two weeks, falling prey to a round of cyber attacks that have hit the retail industry hard.

In the course of two weeks, the retail industry has been pummeled with two massive data breaches and a high-profile data leak, contributing to the uneasiness consumers already feel when it comes to retailers and their ability to safeguard their information.

Security researchers on April 3 disclosed a massive data leak at Panera Bread, which is believed to have affected more than 37 million customer records by exposing customer names, email addresses, physical addresses, birthdays and the last four digits of customers' credit card numbers, reports Krebs on Security.

That disclosure came eight months after Panera Bread had been informed of the leak by security researcher Dylan Houlihan but did not develop a fix until the information was publicly disclosed, according to Krebs.

And on April 1, Hudson Bay Company, the parent company of Saks Fifth Avenue and Lord & Taylor, issued a statement that it had suffered a massive data breach, which affected approximately 5 million credit card numbers, although that number could rise.

But the biggest attack to date this year is Under Armour's mega-massive breach of 150 million users for its MyFitnessPal app. The fitness clothing retailer, which made the disclosure two weeks ago, not only topped the breach charts this year for the retail industry but all industries.

Retail ranks second in industry attacks
The retail and accommodations industries combined ranked No. 2 in breaches, representing 15% of the 1,935 breaches last year, according to Verizon's 2017 Data Breach Investigations Report.

Ninety-six percent of cyber attacks in the retail industry are driven by threat actors looking for financial gain, with 57% of the data compromised falling into the payments category, according to the report.

"Payment information is the first target they go after in retail. Payment card information is very liquid and easy to sell on the Dark Web. Private data is not as valuable as credit card and payment card data," Andrei Barysevich, advisor to Gemini Advisory told Security Now.

Panera's data leak, for example, while massive, offers very little direct value for cybercriminals, Barysevich said. In order to make the data valuable, an attacker would have to use the gleaned Panera Bread data as a tool for social engineering or a phishing attack, which in turn would then potentially yield a payday for the attacker, he explained.

Not only does the retail industry tend to have a treasure trove of credit card and payment data, but Barysevich adds the industry tends to be less IT security savvy than other industries, such as the finance industry, and as a result has a tougher time detecting and fending off attacks.

"Finance companies have more experience defending against attacks and have been doing it longer than the retail industry," Barysevich said. "Retailers also tend to spend less money on security unless they have a breach."

Daniel Miessler, client advisory services director at IOActive, told Security Now that he has found that many companies tend to spend their time and resources defending themselves against auditors rather than attackers.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

"They end up vulnerable to the latter because of it," Miessler said.

The common thread that binds
The common thread that ties together mass data breaches, and the list runs the gamut of targeted industries, is the centralization of large quantities of sensitive data used for account access or payments, George Avetisov, CEO of HYPR, told Security Now.

"When there's a large central repository of data that malicious third parties can sell, buy and reuse, it's not a matter of if the data will be hacked, it's a matter of when," he said.

Large service providers can abandon the risky practice of holding vast amounts of data and decentralize credentials, such as biometrics, PINs, passwords and bankcards, Avetisov advises. He noted decentralized authentication may keep sensitive data safely encrypted and isolated on the end user's mobile device.

"This removes the target and forces hackers to move from a wholesale fraud model to a markedly unsaleable retail one, whereby he or she must go from device to device in the hopes of possibly obtaining one set of credentials," Avetisov added. "The best prevention is to remove the target that is hit time and again."

Related posts:

— Dawn Kawamoto is an award-winning technology and business journalist, whose work has appeared in CNET's News.com, Dark Reading, TheStreet.com, AOL's DailyFinance, and The Motley Fool.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
CVE-2021-21245
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
CVE-2021-21246
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...