Woolworths' Self-Inflicted Breach A Clear Example Of Insider NegligenceWoolworths' Self-Inflicted Breach A Clear Example Of Insider Negligence
Australian grocer sent master spreadsheet of customer information and redeemable codes for thousands of gift cards to hundreds of customers.
June 1, 2015
This weekend, an Australian grocery chain offered a textbook case study in why insider threats—even the non-malicious kind—are so important to address. Woolworths found itself in a pickle when it had to cancel over $1 million in gift cards when someone at the firm accidentally emailed an Excel spreadsheet with customer information and redeemable codes for close to 8,000 giftcards to over 1,000 customers, according to Australian-based Fairfax Media.
It's a clear reminder of how embarrassing and costly an accidental leak can be when it causes a breach.
“Woolworth reminds us that protecting yourself from human error is just as important as protecting yourself from hackers and malware," says Gord Boyce, CEO of FinalCode.
According to reports, the self-inflicted breach occurred on the heels of a Groupon sale of $100 and $200 gift cards at a small discount. When they bought the cards, customers were told they'd get an email from Woolworths that would have a PDF attachment containing an electronic voucher. Instead of the PDF, many customers were emailed a master list with information for over $1 million in vouchers.
Not only were customers' email addresses and names exposed by the breach, but the information made it possible for unauthorized people to fraudulently use others' gift cards, which ultimately caused the retailer to cancel all of them.
According to the Privacy Rights Clearinghouse reported that last year more than 113 incidents involved accidental leakages, involving more than 440,000 records. Meanwhile, the most recent Verizon Data Breach Investigation Report (DBIR), 90 percent of breach cases the firm investigated had some component of employee involvement.
This jibes with a remark made by FBI veteran Frank Abagnale in April at the SailPoint Navigate conference. The inspiration for Catch Me If You Can, Abagnale says that all of the breaches he's investigated involved an employee—typically non-malicious.
“There’s no master hacker," he said. "They’re waiting for doors to open because someone didn’t do something, or they did something they shouldn’t have.”
About the Author(s)
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Gone Phishing: How to Defend Against Persistent Phishing Attempts Targeting Your Organization
The Evolving Ransomware Threat: What Business Leaders Should Know About Data Leakage
The Rise of Extended Detection & Response