Attacks/Breaches
6/1/2015
05:30 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Woolworths' Self-Inflicted Breach A Clear Example Of Insider Negligence

Australian grocer sent master spreadsheet of customer information and redeemable codes for thousands of gift cards to hundreds of customers.

This weekend, an Australian grocery chain offered a textbook case study in why insider threats—even the non-malicious kind—are so important to address. Woolworths found itself in a pickle when it had to cancel over $1 million in gift cards when someone at the firm accidentally emailed an Excel spreadsheet with customer information and redeemable codes for close to 8,000 giftcards to over 1,000 customers, according to Australian-based Fairfax Media.

It's a clear reminder of how embarrassing and costly an accidental leak can be when it causes a breach.

“Woolworth reminds us that protecting yourself from human error is just as important as protecting yourself from hackers and malware," says Gord Boyce, CEO of FinalCode.

According to reports, the self-inflicted breach occurred on the heels of a Groupon sale of $100 and $200 gift cards at a small discount. When they bought the cards, customers were told they'd get an email from Woolworths that would have a PDF attachment containing an electronic voucher. Instead of the PDF, many customers were emailed a master list with information for over $1 million in vouchers.

Not only were customers' email addresses and names exposed by the breach, but the information made it possible for unauthorized people to fraudulently use others' gift cards, which ultimately caused the retailer to cancel all of them.

It's unclear yet what the ramifications will be for the grocer, but this even comes just a little over six months after the Office of the Australian Information Commissioner (OAIC) released a formalized privacy policy. The OAIC privacy commissioner released a statement today saying it would look into the breach to see if the agency will need to look into the matter.

According to the Privacy Rights Clearinghouse reported that last year more than 113 incidents involved accidental leakages, involving more than 440,000 records. Meanwhile, the most recent Verizon Data Breach Investigation Report (DBIR), 90 percent of breach cases the firm investigated had some component of employee involvement.

This jibes with a remark made by FBI veteran Frank Abagnale in April at the SailPoint Navigate conference. The inspiration for Catch Me If You Can, Abagnale says that all of the breaches he's investigated involved an employee—typically non-malicious.

“There’s no master hacker," he said. "They’re waiting for doors to open because someone didn’t do something, or they did something they shouldn’t have.”

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PeterMerkulov
50%
50%
PeterMerkulov,
User Rank: Author
6/3/2015 | 3:19:22 PM
Careless Routine is the Enemy of Security
Careless routine is the enemy of security. Incidents of this type will only increase as employees grow more used to—and blasé toward—the simple act of sharing information via email, social media and cloud applications. Either companies will enable their employees to work the way they want or the employees will continue to work around them and do it the way they know how.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: You are infected!  @malwareunicorn to the rescue...  
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.