Woolworths' Self-Inflicted Breach A Clear Example Of Insider NegligenceAustralian grocer sent master spreadsheet of customer information and redeemable codes for thousands of gift cards to hundreds of customers.
This weekend, an Australian grocery chain offered a textbook case study in why insider threats—even the non-malicious kind—are so important to address. Woolworths found itself in a pickle when it had to cancel over $1 million in gift cards when someone at the firm accidentally emailed an Excel spreadsheet with customer information and redeemable codes for close to 8,000 giftcards to over 1,000 customers, according to Australian-based Fairfax Media.
It's a clear reminder of how embarrassing and costly an accidental leak can be when it causes a breach.
“Woolworth reminds us that protecting yourself from human error is just as important as protecting yourself from hackers and malware," says Gord Boyce, CEO of FinalCode.
According to reports, the self-inflicted breach occurred on the heels of a Groupon sale of $100 and $200 gift cards at a small discount. When they bought the cards, customers were told they'd get an email from Woolworths that would have a PDF attachment containing an electronic voucher. Instead of the PDF, many customers were emailed a master list with information for over $1 million in vouchers.
Not only were customers' email addresses and names exposed by the breach, but the information made it possible for unauthorized people to fraudulently use others' gift cards, which ultimately caused the retailer to cancel all of them.
According to the Privacy Rights Clearinghouse reported that last year more than 113 incidents involved accidental leakages, involving more than 440,000 records. Meanwhile, the most recent Verizon Data Breach Investigation Report (DBIR), 90 percent of breach cases the firm investigated had some component of employee involvement.
This jibes with a remark made by FBI veteran Frank Abagnale in April at the SailPoint Navigate conference. The inspiration for Catch Me If You Can, Abagnale says that all of the breaches he's investigated involved an employee—typically non-malicious.
“There’s no master hacker," he said. "They’re waiting for doors to open because someone didn’t do something, or they did something they shouldn’t have.”
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio