Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

4/5/2018
11:05 AM
Dawn Kawamoto
Dawn Kawamoto
Dawn Kawamoto
50%
50%

Massive Data Breaches & Data Leak Hit Retail Industry in 1-2-3 Punch

Panera Bread, Hudson Bay and Under Armour all took it on the chin within the last two weeks, falling prey to a round of cyber attacks that have hit the retail industry hard.

In the course of two weeks, the retail industry has been pummeled with two massive data breaches and a high-profile data leak, contributing to the uneasiness consumers already feel when it comes to retailers and their ability to safeguard their information.

Security researchers on April 3 disclosed a massive data leak at Panera Bread, which is believed to have affected more than 37 million customer records by exposing customer names, email addresses, physical addresses, birthdays and the last four digits of customers' credit card numbers, reports Krebs on Security.

That disclosure came eight months after Panera Bread had been informed of the leak by security researcher Dylan Houlihan but did not develop a fix until the information was publicly disclosed, according to Krebs.

And on April 1, Hudson Bay Company, the parent company of Saks Fifth Avenue and Lord & Taylor, issued a statement that it had suffered a massive data breach, which affected approximately 5 million credit card numbers, although that number could rise.

But the biggest attack to date this year is Under Armour's mega-massive breach of 150 million users for its MyFitnessPal app. The fitness clothing retailer, which made the disclosure two weeks ago, not only topped the breach charts this year for the retail industry but all industries.

Retail ranks second in industry attacks
The retail and accommodations industries combined ranked No. 2 in breaches, representing 15% of the 1,935 breaches last year, according to Verizon's 2017 Data Breach Investigations Report.

Ninety-six percent of cyber attacks in the retail industry are driven by threat actors looking for financial gain, with 57% of the data compromised falling into the payments category, according to the report.

"Payment information is the first target they go after in retail. Payment card information is very liquid and easy to sell on the Dark Web. Private data is not as valuable as credit card and payment card data," Andrei Barysevich, advisor to Gemini Advisory told Security Now.

Panera's data leak, for example, while massive, offers very little direct value for cybercriminals, Barysevich said. In order to make the data valuable, an attacker would have to use the gleaned Panera Bread data as a tool for social engineering or a phishing attack, which in turn would then potentially yield a payday for the attacker, he explained.

Not only does the retail industry tend to have a treasure trove of credit card and payment data, but Barysevich adds the industry tends to be less IT security savvy than other industries, such as the finance industry, and as a result has a tougher time detecting and fending off attacks.

"Finance companies have more experience defending against attacks and have been doing it longer than the retail industry," Barysevich said. "Retailers also tend to spend less money on security unless they have a breach."

Daniel Miessler, client advisory services director at IOActive, told Security Now that he has found that many companies tend to spend their time and resources defending themselves against auditors rather than attackers.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

"They end up vulnerable to the latter because of it," Miessler said.

The common thread that binds
The common thread that ties together mass data breaches, and the list runs the gamut of targeted industries, is the centralization of large quantities of sensitive data used for account access or payments, George Avetisov, CEO of HYPR, told Security Now.

"When there's a large central repository of data that malicious third parties can sell, buy and reuse, it's not a matter of if the data will be hacked, it's a matter of when," he said.

Large service providers can abandon the risky practice of holding vast amounts of data and decentralize credentials, such as biometrics, PINs, passwords and bankcards, Avetisov advises. He noted decentralized authentication may keep sensitive data safely encrypted and isolated on the end user's mobile device.

"This removes the target and forces hackers to move from a wholesale fraud model to a markedly unsaleable retail one, whereby he or she must go from device to device in the hopes of possibly obtaining one set of credentials," Avetisov added. "The best prevention is to remove the target that is hit time and again."

Related posts:

— Dawn Kawamoto is an award-winning technology and business journalist, whose work has appeared in CNET's News.com, Dark Reading, TheStreet.com, AOL's DailyFinance, and The Motley Fool.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.