Attacks/Breaches
6/1/2015
05:30 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Woolworths' Self-Inflicted Breach A Clear Example Of Insider Negligence

Australian grocer sent master spreadsheet of customer information and redeemable codes for thousands of gift cards to hundreds of customers.

This weekend, an Australian grocery chain offered a textbook case study in why insider threats—even the non-malicious kind—are so important to address. Woolworths found itself in a pickle when it had to cancel over $1 million in gift cards when someone at the firm accidentally emailed an Excel spreadsheet with customer information and redeemable codes for close to 8,000 giftcards to over 1,000 customers, according to Australian-based Fairfax Media.

It's a clear reminder of how embarrassing and costly an accidental leak can be when it causes a breach.

“Woolworth reminds us that protecting yourself from human error is just as important as protecting yourself from hackers and malware," says Gord Boyce, CEO of FinalCode.

According to reports, the self-inflicted breach occurred on the heels of a Groupon sale of $100 and $200 gift cards at a small discount. When they bought the cards, customers were told they'd get an email from Woolworths that would have a PDF attachment containing an electronic voucher. Instead of the PDF, many customers were emailed a master list with information for over $1 million in vouchers.

Not only were customers' email addresses and names exposed by the breach, but the information made it possible for unauthorized people to fraudulently use others' gift cards, which ultimately caused the retailer to cancel all of them.

It's unclear yet what the ramifications will be for the grocer, but this even comes just a little over six months after the Office of the Australian Information Commissioner (OAIC) released a formalized privacy policy. The OAIC privacy commissioner released a statement today saying it would look into the breach to see if the agency will need to look into the matter.

According to the Privacy Rights Clearinghouse reported that last year more than 113 incidents involved accidental leakages, involving more than 440,000 records. Meanwhile, the most recent Verizon Data Breach Investigation Report (DBIR), 90 percent of breach cases the firm investigated had some component of employee involvement.

This jibes with a remark made by FBI veteran Frank Abagnale in April at the SailPoint Navigate conference. The inspiration for Catch Me If You Can, Abagnale says that all of the breaches he's investigated involved an employee—typically non-malicious.

“There’s no master hacker," he said. "They’re waiting for doors to open because someone didn’t do something, or they did something they shouldn’t have.”

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PeterMerkulov
50%
50%
PeterMerkulov,
User Rank: Author
6/3/2015 | 3:19:22 PM
Careless Routine is the Enemy of Security
Careless routine is the enemy of security. Incidents of this type will only increase as employees grow more used to—and blasé toward—the simple act of sharing information via email, social media and cloud applications. Either companies will enable their employees to work the way they want or the employees will continue to work around them and do it the way they know how.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.