Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

4/5/2018
11:05 AM
Dawn Kawamoto
Dawn Kawamoto
Dawn Kawamoto
50%
50%

Massive Data Breaches & Data Leak Hit Retail Industry in 1-2-3 Punch

Panera Bread, Hudson Bay and Under Armour all took it on the chin within the last two weeks, falling prey to a round of cyber attacks that have hit the retail industry hard.

In the course of two weeks, the retail industry has been pummeled with two massive data breaches and a high-profile data leak, contributing to the uneasiness consumers already feel when it comes to retailers and their ability to safeguard their information.

Security researchers on April 3 disclosed a massive data leak at Panera Bread, which is believed to have affected more than 37 million customer records by exposing customer names, email addresses, physical addresses, birthdays and the last four digits of customers' credit card numbers, reports Krebs on Security.

That disclosure came eight months after Panera Bread had been informed of the leak by security researcher Dylan Houlihan but did not develop a fix until the information was publicly disclosed, according to Krebs.

And on April 1, Hudson Bay Company, the parent company of Saks Fifth Avenue and Lord & Taylor, issued a statement that it had suffered a massive data breach, which affected approximately 5 million credit card numbers, although that number could rise.

But the biggest attack to date this year is Under Armour's mega-massive breach of 150 million users for its MyFitnessPal app. The fitness clothing retailer, which made the disclosure two weeks ago, not only topped the breach charts this year for the retail industry but all industries.

Retail ranks second in industry attacks
The retail and accommodations industries combined ranked No. 2 in breaches, representing 15% of the 1,935 breaches last year, according to Verizon's 2017 Data Breach Investigations Report.

Ninety-six percent of cyber attacks in the retail industry are driven by threat actors looking for financial gain, with 57% of the data compromised falling into the payments category, according to the report.

"Payment information is the first target they go after in retail. Payment card information is very liquid and easy to sell on the Dark Web. Private data is not as valuable as credit card and payment card data," Andrei Barysevich, advisor to Gemini Advisory told Security Now.

Panera's data leak, for example, while massive, offers very little direct value for cybercriminals, Barysevich said. In order to make the data valuable, an attacker would have to use the gleaned Panera Bread data as a tool for social engineering or a phishing attack, which in turn would then potentially yield a payday for the attacker, he explained.

Not only does the retail industry tend to have a treasure trove of credit card and payment data, but Barysevich adds the industry tends to be less IT security savvy than other industries, such as the finance industry, and as a result has a tougher time detecting and fending off attacks.

"Finance companies have more experience defending against attacks and have been doing it longer than the retail industry," Barysevich said. "Retailers also tend to spend less money on security unless they have a breach."

Daniel Miessler, client advisory services director at IOActive, told Security Now that he has found that many companies tend to spend their time and resources defending themselves against auditors rather than attackers.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

"They end up vulnerable to the latter because of it," Miessler said.

The common thread that binds
The common thread that ties together mass data breaches, and the list runs the gamut of targeted industries, is the centralization of large quantities of sensitive data used for account access or payments, George Avetisov, CEO of HYPR, told Security Now.

"When there's a large central repository of data that malicious third parties can sell, buy and reuse, it's not a matter of if the data will be hacked, it's a matter of when," he said.

Large service providers can abandon the risky practice of holding vast amounts of data and decentralize credentials, such as biometrics, PINs, passwords and bankcards, Avetisov advises. He noted decentralized authentication may keep sensitive data safely encrypted and isolated on the end user's mobile device.

"This removes the target and forces hackers to move from a wholesale fraud model to a markedly unsaleable retail one, whereby he or she must go from device to device in the hopes of possibly obtaining one set of credentials," Avetisov added. "The best prevention is to remove the target that is hit time and again."

Related posts:

— Dawn Kawamoto is an award-winning technology and business journalist, whose work has appeared in CNET's News.com, Dark Reading, TheStreet.com, AOL's DailyFinance, and The Motley Fool.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
CVE-2020-16170
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.