Risk

7/20/2015
06:00 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Photo Processing Vendor Exposes CVS, Wal-Mart, Costco

Retail breaches highlight third-party risk -- again.

A breach announced last week by a third-party vendor that manages and hosts photo processing websites for retailers has left at least five major retailers reeling in the wake of the exposure. As reported last week, Wal-Mart and CVS were the first known affected organizations, but today news has trickled in that Costco, RiteAid, and British-based Tesco are all investigating potential incidents as well.

According to PNI Digital Media, the company handles over 18 million transactions a year across 19,000 retail locations and 8,000 photo processing kiosks. While the scope of this breach is still hazy, security experts say that it is a good example of the danger posed by third-party vendors, particularly those that touch sensitive customer records.

"In the age of the mega data breach, you will be judged by the company you keep," says Adam Levin, co-founder of IDT911 and the former director of NJ Division of Consumer Affairs. "Vendors need to be vetted as rigorously as senior management, and there can be zero-tolerance for poor security protocols."

This case in particular brings to light the challenges that traditional retailers face when trying to build out digital and e-commerce services delivered through kiosks and other on-site services.

"The integration of eCommerce services and bricks and mortar retail introduces a unique challenge to security teams, particularly when the service provided is via third party which collects payment information and customer interaction," says Ken Westin, security analyst for Tripwire, explaining that ensuring the security of third-party vendors is not always possible without extensive and continuous auditing, which is frequently not practical.

"Attackers are well aware of this and spend a great deal of time not only understanding their targets’ network architecture, but also other potential channels into these networks and customer data such as through third party providers," he says.

Retailers have been hard hit by third-party lapses of late, as experts point to third-party breach connections in incidents at Goodwill, Lowe’s, Dairy Queen, Home Depot, and Target in the past few years. But this recent breach is different because the vendor might be found liable, says Igor Baikalov, chief scientist for Securonix.

"The new PCI Data Security Standard, PCI DSS 3.0, specifically calls out the risk of third-party vendors, but it only covers payment data, and businesses are still struggling to implement it," Baikalov says. "The most recent version of the PCI DSS, 3.1, that was issued on April 15, 2015, explicitly places liability for the security of the cardholder data on the service providers."

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11506
PUBLISHED: 2019-04-24
In GraphicsMagick from version 1.3.30 to 1.4 snapshot-20190403 Q8, there is a heap-based buffer overflow in the function WriteMATLABImage of coders/mat.c, which allows an attacker to cause a denial of service or possibly have unspecified other impact via a crafted image file. This is related to Expo...
CVE-2019-8991
PUBLISHED: 2019-04-24
The administrator web interface of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO Silver Fabric Enabler for ActiveMatrix BPM, and TIB...
CVE-2019-8992
PUBLISHED: 2019-04-24
The administrative server component of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution for TIBC...
CVE-2019-8993
PUBLISHED: 2019-04-24
The administrative web server component of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, TIBCO ActiveMatrix Policy Director, TIBCO ActiveMatrix Service Bus, TIBCO ActiveMatrix Service Grid, TIBCO ActiveMatrix Service Grid Distribution for ...
CVE-2019-8994
PUBLISHED: 2019-04-24
The workspace client of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM contains vulnerabilities where an authenticated user can change settings that can theoretically adversely impact oth...