A breach announced last week by a third-party vendor that manages and hosts photo processing websites for retailers has left at least five major retailers reeling in the wake of the exposure. As reported last week, Wal-Mart and CVS were the first known affected organizations, but today news has trickled in that Costco, RiteAid, and British-based Tesco are all investigating potential incidents as well.
According to PNI Digital Media, the company handles over 18 million transactions a year across 19,000 retail locations and 8,000 photo processing kiosks. While the scope of this breach is still hazy, security experts say that it is a good example of the danger posed by third-party vendors, particularly those that touch sensitive customer records.
"In the age of the mega data breach, you will be judged by the company you keep," says Adam Levin, co-founder of IDT911 and the former director of NJ Division of Consumer Affairs. "Vendors need to be vetted as rigorously as senior management, and there can be zero-tolerance for poor security protocols."
This case in particular brings to light the challenges that traditional retailers face when trying to build out digital and e-commerce services delivered through kiosks and other on-site services.
"The integration of eCommerce services and bricks and mortar retail introduces a unique challenge to security teams, particularly when the service provided is via third party which collects payment information and customer interaction," says Ken Westin, security analyst for Tripwire, explaining that ensuring the security of third-party vendors is not always possible without extensive and continuous auditing, which is frequently not practical.
"Attackers are well aware of this and spend a great deal of time not only understanding their targets’ network architecture, but also other potential channels into these networks and customer data such as through third party providers," he says.
Retailers have been hard hit by third-party lapses of late, as experts point to third-party breach connections in incidents at Goodwill, Lowe’s, Dairy Queen, Home Depot, and Target in the past few years. But this recent breach is different because the vendor might be found liable, says Igor Baikalov, chief scientist for Securonix.
"The new PCI Data Security Standard, PCI DSS 3.0, specifically calls out the risk of third-party vendors, but it only covers payment data, and businesses are still struggling to implement it," Baikalov says. "The most recent version of the PCI DSS, 3.1, that was issued on April 15, 2015, explicitly places liability for the security of the cardholder data on the service providers."