Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

4/5/2018
11:05 AM
Dawn Kawamoto
Dawn Kawamoto
Dawn Kawamoto
50%
50%

Massive Data Breaches & Data Leak Hit Retail Industry in 1-2-3 Punch

Panera Bread, Hudson Bay and Under Armour all took it on the chin within the last two weeks, falling prey to a round of cyber attacks that have hit the retail industry hard.

In the course of two weeks, the retail industry has been pummeled with two massive data breaches and a high-profile data leak, contributing to the uneasiness consumers already feel when it comes to retailers and their ability to safeguard their information.

Security researchers on April 3 disclosed a massive data leak at Panera Bread, which is believed to have affected more than 37 million customer records by exposing customer names, email addresses, physical addresses, birthdays and the last four digits of customers' credit card numbers, reports Krebs on Security.

That disclosure came eight months after Panera Bread had been informed of the leak by security researcher Dylan Houlihan but did not develop a fix until the information was publicly disclosed, according to Krebs.

And on April 1, Hudson Bay Company, the parent company of Saks Fifth Avenue and Lord & Taylor, issued a statement that it had suffered a massive data breach, which affected approximately 5 million credit card numbers, although that number could rise.

But the biggest attack to date this year is Under Armour's mega-massive breach of 150 million users for its MyFitnessPal app. The fitness clothing retailer, which made the disclosure two weeks ago, not only topped the breach charts this year for the retail industry but all industries.

Retail ranks second in industry attacks
The retail and accommodations industries combined ranked No. 2 in breaches, representing 15% of the 1,935 breaches last year, according to Verizon's 2017 Data Breach Investigations Report.

Ninety-six percent of cyber attacks in the retail industry are driven by threat actors looking for financial gain, with 57% of the data compromised falling into the payments category, according to the report.

"Payment information is the first target they go after in retail. Payment card information is very liquid and easy to sell on the Dark Web. Private data is not as valuable as credit card and payment card data," Andrei Barysevich, advisor to Gemini Advisory told Security Now.

Panera's data leak, for example, while massive, offers very little direct value for cybercriminals, Barysevich said. In order to make the data valuable, an attacker would have to use the gleaned Panera Bread data as a tool for social engineering or a phishing attack, which in turn would then potentially yield a payday for the attacker, he explained.

Not only does the retail industry tend to have a treasure trove of credit card and payment data, but Barysevich adds the industry tends to be less IT security savvy than other industries, such as the finance industry, and as a result has a tougher time detecting and fending off attacks.

"Finance companies have more experience defending against attacks and have been doing it longer than the retail industry," Barysevich said. "Retailers also tend to spend less money on security unless they have a breach."

Daniel Miessler, client advisory services director at IOActive, told Security Now that he has found that many companies tend to spend their time and resources defending themselves against auditors rather than attackers.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

"They end up vulnerable to the latter because of it," Miessler said.

The common thread that binds
The common thread that ties together mass data breaches, and the list runs the gamut of targeted industries, is the centralization of large quantities of sensitive data used for account access or payments, George Avetisov, CEO of HYPR, told Security Now.

"When there's a large central repository of data that malicious third parties can sell, buy and reuse, it's not a matter of if the data will be hacked, it's a matter of when," he said.

Large service providers can abandon the risky practice of holding vast amounts of data and decentralize credentials, such as biometrics, PINs, passwords and bankcards, Avetisov advises. He noted decentralized authentication may keep sensitive data safely encrypted and isolated on the end user's mobile device.

"This removes the target and forces hackers to move from a wholesale fraud model to a markedly unsaleable retail one, whereby he or she must go from device to device in the hopes of possibly obtaining one set of credentials," Avetisov added. "The best prevention is to remove the target that is hit time and again."

Related posts:

— Dawn Kawamoto is an award-winning technology and business journalist, whose work has appeared in CNET's News.com, Dark Reading, TheStreet.com, AOL's DailyFinance, and The Motley Fool.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12505
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
CVE-2020-12506
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
CVE-2020-4629
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.