Over the past few years, attacks and breaches into the networks of organizations have been highly publicized. Attacks are becoming more common and customer data is being stolen at alarming rates. Recently, a number of high profile retailers had breaches that resulted in the loss of millions of customers’ personal information including credit card details. In this age of digital commerce, the theft of a person’s personal information can be extremely impacting to the person.
The recent breaches into retailers systems are coming from multiple fronts. In some cases, it is the result of lax security rules and in others it may be from an external source, such as a vendor, being used as a conduit in the retailer’s system. Because of the various possibilities for attacks, retailers must have a detailed risk assessment plan in place to identify all possibilities of threats. These risk management plans will need to be constantly monitored and adapted. Complacency in regards to risk management leaves organizations vulnerable to newer and more advanced threats.
Attacks and Breaches
There have been a number of security breaches into retailer’s systems that have resulted in the loss of customer data, but the most widely publicized instance in the past year was the Target stores data breach. This attack occurred at the beginning of the holiday shopping season in November of 2013. In total, up to 110 million customers may have had their credit and debit card information stolen between November 27 and December 15th (Krebs, 2013). The size of this theft is staggering and the methods used in the theft reveal a gap that may be waiting to be exploited with other organizations.
The Target data breach was not a direct attack into the systems of the retailer. The hacker responsible for the breach gained access to the customer data by way of one of Target’s suppliers. Fazio Mechanical Services is a supplier of refrigeration and ventilation systems for the retailer. The hacker utilized this vendor’s credentials to access Target’s portals for supplier project management and external billing system. Kreb’s investigation into the target breach discovered the credentials utilized for these systems were most likely Active Directory credentials which means these systems had some form of access to other parts of the company’s network. Gaining access via these credentials and with some knowledge of the company’s systems, the hacker was able to release malware into the systems that led to the data theft.
April 2011, saw another high profile company experience a theft of customer data due to a data security breach. Sony, Inc. shut down its Sony Playstation Network for nearly a month due to the breach. Whereas Target was forthcoming with the loss of consumer data, Sony did not immediately announce the scope of the breach. Following a week of the service being offline, Sony posted an alert stating customer data had been compromised. This data included names, addresses,...