By: Kevin Lancaster
There is a storm brewing over at Facebook. I will reserve summary and comments for next week – after Zuckerberg testifies. I will say however, the simple fact is that you did not/do not need to be a data analytics firm to harvest data and profile millions (potentially billions) of Facebook users. More to come…
Two weeks in and I already sound like a broken record. The incidents of the week continue to demonstrate a concerning pattern when it comes to breach response and disclosure. Your clients better be taking malware, phishing and injection detection and prevention seriously. This weeks’ incidents highlight the following:
Overall time to detect and respond:
- +/- 7 months
- Financial data and PII exploit detection ranged from 2 weeks to 8+ months
Malware injection impacted at least 100,000 people via chat
- NEVER, NEVER, NEVER disclose PII or transact via CHAT… Did I say NEVER?
How to look bad – publicly
- “White hat” brings serious vulnerability to Paneras attention
- Panera acknowledges *finally*
- Waits 8 months to apply patch
- Suffers humiliating breach response fail
1. Panera Bread
Date Occurred: Vulnerability discovered August 2017
Date Disclosed: April 3, 2018
Data Compromised: Names, emails, physical addresses, birthdays and the last four digits of the customer’s credit card number. There is no evidence of payment card information nor many records being accessed or retrieved.
How it was Compromised : Data Exploit/Website Vulnerability. Panera Bread on Monday said it has resolved the security flaw on its website that exposed the data.
Customers Impacted: Panera’s CIO has suggested fewer than 10,000 consumers have been potentially affected by this issue. Other reports suggest up to 37 million accounts may have been exposed.
Attribution/Vulnerability: Website vulnerability not disclosed.
Business Risk: Moderate (POS/Website Patch)
What you need to know: Put this in the categories of “What was What?” AND “Crisis Communications Stupidity”.
On one hand, you can sympathize with the Panera CIO and his assuming he was being scammed by the security researcher who first reported the exploit back in August 2017. On the other hand, Panera’s security team did engage the researcher via encrypted communications, said they were working on a resolution but appeared to have done nothing about the reported exploit on delivery.panerabread.com.
Here’s why this is bad news for Panera:
- Data was leaked for 8 months (full string/ clear text).
- It took Panera Bread 8 months to implement a patch that took 1 hour to deploy!
- Panera is using the now industry standard phrase “no evidence of intrusion” to potentially skirt breach laws and liability.
- Panera’s “crisis communications” team made a mistake. Panera security says no evidence of data leak while it’s communications team said it was contained to 10k people. Now the company has a PR nightmare on its hands!
These are great reads:
2. Sears, Kmart, Delta, Best Buy
Date Occurred: September 26, 2017 – October 12, 2017
Date Disclosed: April 5, 2018
Data Compromised: This cyber incident allowed Delta customers’ payment information to be accessed. Hackers may have accessed names, addresses, credit card numbers CVV numbers and expiration dates.
How it was Compromised: A malware injection into an online chat tool developed by 7.ai.
Customers Impacted: For Delta, possibly “several hundred thousand” customers. Delta states that even though only a small subset of customers would have been exposed, they cannot say definitively whether any of their customers’ information was actually accessed or subsequently compromised. The airline stressed that customers’ passport, security and frequent-flyer information had not been included in the breach.
Sears believes less than 100,000 of its customers were affected. Customers using a Sears-branded credit card were not impacted.
Best Buy estimates only a “small fraction” of its customers were affected.
Attribution/Vulnerability: Malware strain not disclosed.
Business Risk: High ( Supply Chain/3rd Party Vendor Compromise, Malware, Data Exploit)
Individual Risk: Moderate (Credit/Debit Card Fraud, Consumer Identity Theft & Fraud)
What you need to know: Because of their increasing popularity and ability to facilitate the transfer of data and documents, it only makes sense for hackers to target chat developers. My personal suggestion is to NEVER disclose PII or facilitate any transaction via CHAT. Expect a surge in form-grabber malware like what is used to steal passwords via web-browser injections.
Much like the Panera response, waiting 6 months to publicly acknowledge this incident is unacceptable. One might wonder if the timing of the announcement will shield them from the public flogging Facebook and others are taking right now. Nevertheless, as the data surfaces and is used to commit fraud, there will be some very unhappy victims.
Standby for Facebook…Next week!