SEWORKS-blog_banner.png

App Security Insights

High Profile Security Breaches: eCommmerce Industry

Dec 6, 2017 11:03:27 AM / by AppSolid Team

High-Profile-Security-Breaches-eCommmerce-Industry-Blog-IMG.jpg

A hack can take a business at its peak and drive it into the ground. High profile security breaches target multinational conglomerates and large national corporations, since those businesses are the ones most likely to have something of value to steal. But don’t be fooled: every business, every app, and every developer is a potential target. For every high profile security breach you hear about, there are thousands more you don’t.

Hacking is a crime of opportunity. The easier the target, the more likely it is to be hacked. This means that the more layers of security you can add, the less likely you are to become a target. Unfortunately, smaller enterprises often lack the resources to secure their apps. They absolutely lack the resources to deal with a breach, which can easily cost tens of millions of dollars. The average data breach costs $172 per breached record. With thousands or even millions of records on the line with each breach, it becomes clear how easy it is for criminals to bankrupt even large businesses.

So what’s the solution? Partnering with a security company you can trust. You don’t have to spend thousands on an in-house security team, or waste time and development effort continually fortifying your products. Let AppSolid do it for you.

Consider what happened to these major ecommerce sites as a lesson in the value of caution.

eBay

ebay-hack-blog-img.jpg

In 2014, ecommerce giant eBay asked all users to change their passwords following a massive attack. The attack targeted a corporate network that housed user passwords, giving access to data on nearly 150 million users.

Ebay insisted that no user financial information was compromised. Its payment processor, PayPal, was unaffected by the attack. Yet this doesn’t mean consumers’ financial accounts were safe. When consumers use passwords and usernames or email addresses across several accounts, it’s easy for hackers to use that information to access credit card and bank accounts, or to otherwise gain access to sensitive consumer data.

The ecommerce site eventually faced a class action lawsuit for the breach. A judge threw the lawsuit out, arguing that consumers could not prove they were tangibly injured by the suit. But as with most suits, eBay still had to pick up the tab for its own massive legal fees. The mere threat of a large class action can bankrupt smaller enterprises. So business owners, take note: even if you ultimately prevail in court, a lawsuit about compromised user data can harm your reputation, and deplete your bank account.

Rite Aid

When hackers breached Rite Aid’s ecommerce platform, millions of consumer records were put at risk, raising concerns about private medical data and credit cards. An initial probe found that hackers were able to access consumer credit card and personal data. Worse still, the breach went undetected for 10 weeks. The breach allowed criminals to access data from any consumer who manually entered data into the site for 10 weeks in 2017.

The news sparked outrage because of Rite Aid’s long history of security issues. In 2015, the retailer’s pharmacy was fined $1 million for failing to properly protect consumer information and properly dispose of data. And in 2014, its third-party payment partner, which managed its photos site, spent nearly a year improperly secured.

CEX

CEX, a secondhand games and electronics store, announced in 2017 that about 2 million customer records had been compromised. The breach accessed customer data from WeBuy.com, including credit card information, addresses, and other key data. CEX said that the breach accessed stored data dating back to 2009, and reassured its customers that any credit cards from that time would have expired. Yet this still left other customer data up for grabs, and it remains unclear if the data stolen was truly limited to 2009.

CEX says it no longer stores sensitive user data, pointing to an underlying security hole many companies face. Not all data must be stored. When it is, it must be protected.

Sears/Kmart

sears-hack-blog-img.jpg

Sears, the parent company of brick-and-mortar and ecommerce giant Kmart, has been repeatedly hit by data breaches. It was one of the earliest victims in 1984, when a stolen password breached the financial records of millions of customers. More recently, Sears and Kmart have been the target of several high-profile attacks.

In 2014, Kmart was hit with a significant data breach. It promised to enact better security protocols, but less than three years later, Sears-Kmart was a victim again.

This attack infected payment systems with malicious code that the company’s anti-virus software failed to detect. Attackers may have created counterfeit cards from the information they received. Although the retailer says no personally identifiable information was released, hackers did get access to consumer credit and debit card numbers.

Sabre Hospitality Solutions

Sabre Hospitality provides hotel reservation support to more than 36,000 worldwide properties. In 2017, it announced that an attack on its online reservation system had affected a diverse range of hotels, such as Four Seasons and Trump Hotels.

The breach began in August 2016, and lasted more than six months. A subset of the company’s online booking system allowed hackers to access unencrypted consumer credit card and other data. The full scope of the breach remains uncertain, but one thing remains clear: unencrypted data is a recipe for disaster for consumers and ecommerce leaders.

Morrison’s Supermarket

Hacks don’t always target consumer data. The information you maintain about your employees, your business, or your apps is also highly valuable. The 2014 Morrison’s Supermarket attack neatly demonstrates this fact. Morrison’s is a popular grocery store chain that has moved much of its commerce online.

According to reports, a breach of the British grocer’s payroll records exposed as many as 100,000 employees’ personal data. The attack included names, addresses, and bank account information -- enough to steal a person’s identity, access their money, and more. Initially, analysts thought the attack originated in the retailer’s online store. It turns out that the real culprit wasn’t a hacker at all.

A disgruntled former employee turned out to be the hacking culprit. The employee used his access as an IT auditor to target the company. The retailer is still fighting a lawsuit by employees, and has garnered significant negative publicity over its handling of the hack and of the lawsuit.

There’s an important lesson here: the worst attacks often come from within. Staff have the most access and the most knowledge, which means they may be able to compromise important data and go unnoticed for months. Change access codes when employees leave, and give employees only the information and access they need to do their jobs. And be proactive: maintain an environment that minimizes the risk of creating disgruntled employees.

The Largest Ecommerce Hack Ever

You might never have heard of the largest ecommerce hack to date because it didn’t target a single business. Instead, over the course of eight years, Russian criminals skimmed money from myriad American businesses.

The hack stole money from customers of JCPenney, Jetblue, and from Nasdaq. The hack was the brainchild of a skilled team. One hacked into networks. Another mined those networks for data. The hack began by disabling anti-virus software and hiding data on multiple platforms. Prosecutors called it one of the most sophisticated hacks they had ever seen. It’s also the largest federal hacking case to ever be prosecuted.

PayPal

paypal-hack-blog-img.jpg

PayPal has long been known for its tight security measures. Even when its partner eBay was hacked, PayPal remained safe. But in 2014, a breach at PayPal revealed weaknesses in its two-factor security authentication. Two-factor authentication has long been the gold standard in security, particularly for mobile devices.

Security tests revealed that hackers could trick PayPal’s two-factor authentication into bypassing the second step. PayPal responded immediately by blocking users who relied on two-factor authentication from signing into their mobile accounts. The move earned PayPal acclaim for its attempts to protect consumer data, and there was never evidence that any consumers suffered due to the theoretical breach.

A handful of small hacks have used phishing and other behavioral engineering schemes to target PayPal, but there has never been a massive successful hack of the web’s leading ecommerce partner. This suggests that with enough security measures in place, it’s possible to avoid the scandal and financial stress of a hack.

Who is Next?

The common theme we see time and again with major ecommerce breaches is that they were predictable. There was a credible threat in the form of a disgruntled employee, or a security hole that could easily have been fixed. So why does this keep happening?

No one wants to believe it could happen to them -- whether they’re a small-time app developer or a giant retailer, they see security breaches as a foreign experience that affects only other people. Overcoming this psychological barrier is the first step to well-secured apps and ecommerce platforms.

Security breaches cost businesses dearly. They destroy reputations. They deplete bank accounts thanks to fines, lawsuits, and legal expenses. They can destroy consumers’ lives. While businesses are reluctant to enact sound security because of time and budget constraints, the cost of a breach can be bankruptcy.

You’re already a target, whether you know it or not. Don’t let luck be the only thing protecting you from a breach. With AppSolid’s industry-leading protection, security can be both affordable and virtually impenetrable.

The-Developers-Guide-To-Mobile-App-Security

Topics: Cyber Breach, Security Threats, Security Breach

Written by AppSolid Team