April 06, 2018//Ellen Neveux
If you have already moved on from the Saks Fifth Avenue and Lord & Taylor breach that broke earlier this week affecting 5 million credit cards, don’t worry, another breach happened to other well-known corporations. This breach affected more people and their personal information, and it all stemmed from a third-party. For 15 days in 2017, personally identifiable information (PII) was exposed and collected from malware that infected a chat function on websites. The chat function that was infected came from a third-party chat-service provider.
We were right when we predicted that third-party breaches were going to be a huge part of 2018. Here we are, only four months into the year and different breaches are overwhelming our Twitter feeds, tech blogs, and nightly news at an alarming rate.
You don’t want to be the next news story reported by all the tech blogs, do you? Don’t put yourself in the position to be breached, regulate the access given to third-parties.
What happened, this time?
According to CNET, the list of affected companies includes Delta, Sears, Kmart, and BestBuy, and the list may continue to grow. All of these companies enlisted the help of a third-party, 7.ai, for chat functions on their websites. A bad actor was able to exploit a weakness within 7.ai’s chat functionality and leveraged their privileged access to flee with sensitive consumer data.
Here’s the most alarming part of the whole situation: consumers didn’t even have to engage with the chat function to expose their data to the attacker. The malware itself was planted within the chat function but was able to collect data elsewhere on the website. This allowed it to snatch up all the information put in when a making a purchase, and even paying a bill during that 15-day period in 2017.
Who was affected?
Reports are only certain that the four companies mentioned above were affected. When a third-party breach happens like this, it puts a lot of mistrust from consumers in a company. They wonder why, and how, a company let something like this happen. According to a recent study funded by Daymon, after a data breach hits a company 36 percent of consumers said they will shop at or use services from that company less frequently. What’s even more daunting for a company that goes through a data breach is that 12 percent of people say they will stop shopping at or using that company completely.
A data breach hurts a lot more than just the people who have their PII exposed, in the long-run, it greatly affects a brands’ image. Not only do 12 percent of people stop using the brand after an incident, but of the consumers that have their data exposed, 85 percent of them tell other people about their negative experience. All things considered, your company cannot afford a data breach.
Delta has been relatively transparent about the breach. According to a CNET, Delta estimates that hundreds of thousands of their customer’s data could be compromised if they entered their information on Delta’s website between those 15 days of 2017. Delta said this information could have been inputted when paying bills or purchasing a flight.
Sears Holdings, owning both Sears and Kmart, seemed unconcerned about the third-party weakness that led to a data breach. The Verge reported that Sears estimated that “less than 100,000 of our customers’ credit card information” was impacted, and that the Sears-branded credit cards were not affected by the breach. Even if it the number was less than 100,000 customers, it is still too many. Even if one customer’s data is breached like this, concern about the access granted to a third-party should be at the front of your mind.
During the same 15-day period, BestBuy’s chat was infected with malware on their website that collected and stored customer’s credit card information once a transaction was completed. According to CNET, since going public with the breach BestBuy has offered free credit monitoring for potentially affected customers and has assured customers that they will not be liable for transactions that may have occurred due to illegal activity. However, had they worked proactively on securing third-party remote access, they wouldn’t be one of the four companies in this situation.
The full implications of exposure due to this vendor’s access have yet to be discovered, so this may be only the tip of the iceberg for this breach.
So, what can be done?
Remember the Target breach? Why wasn’t that the end all be all? Every breach post-Target seems to be an expensive lesson that business entities are incapable of learning from until it’s too late. The breaches since are too numerous to list. Let this be a big reality check—breaches are here to stay.
A lot of the affected companies and the third-party vendor continue to downplay the problems of this breach. Don’t be made into a fool. Trustwave even reported that a stunning 63 percent of all data breaches can be attributed to third-party vendors. So, what can be done?
Insist on properly and proactively protecting data, it’s the only way to move away from data breaches. As a company, reputation is huge when consumers have a lot of choices; picking the right secure remote access platform is a step in the right direction in protecting your reputation. The right software can add aspects such as security measures, defining the attack surface, a security plan, and auditing third-party users. The right platform is just as important for a vendor and their reputation with clients. Some advantages include reduced liability, ease of use, fast deployment, and compliance.
Are you confident in how you are protecting yourself and your clients—or will you be next?
Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.