Case One

One of the more notable but by no means the largest breach in modern times.

A market leader in the retail sector suffered a large security breach in the last few years. The companies security and payment system was breached in 2013, allowing hackers access to 40 Million credit card and debit cards numbers along with 70 million records of private personal information such as names, addresses, phone numbers etc..

The retailer despite receiving prior notifications and failing to act upon them, was finally made aware of the situation by the Department of justice who informed them that targets systems were under attack.

So how did this happen?

Malware was installed by hackers on the retailers security and payment system in November. The hackers had originally gained access to the retailers systems through stolen credentials which were hacked from their HVAC provider. This was initially suspected to be the point of entry, through a network connection connecting the HVAC company to the retailer. However it would seem that upon further inspection the credentials had been gathered through a phishing attack performed on one of the HVAC contractors employees. the employee had received the email and inadvertently clicked on the malicious email.

The retailer was a well protected organization or so it would seem. The retailer had installed malware detection software by a well established, well respected company. This company was monitoring the retail company 24/7. This company made the first report of activity on the retailers network to the retailers security team, however this was to go un-acted upon.

Malware was installed at the end of November to exfiltrate the data moving the data from within the organisation firstly to servers located within the same country and then on to a different country to be gathered by the hackers. This triggered the external contracted security team to again question that something very wrong was going on here and again notified the retailers internal security team. for unknown reasons the retailers security staff again failed to act upon this information allowing the exfiltration to pass through and compromise sensitive customer information.

 

What can we learn from this?

First of all who was to blame. Well I think this can be passed around like a 'hot potato' the HVAC employee fell for a phishing scam which without training is fully understandable. the security team although the organisation was from the outside looked well protected, if you don't act on security alerts and have proper monitoring policies in place many alerts can be overlooked as false positives. I think we can see from this that no matter how well you think you are protected security holes can be found that is why penetration testing at a minimum of annually is a vital part of your security stance.

It's clear to see that the weakest point in an organisations security will always be human. Bad passwords, policies, configuring systems incorrectly and falling for malicious intent from outside sources. phishing. It's vital that all employees understand the security policies and are trained to protect your companies. and last but no means least policies and procedures on security alerts need to be properly adhered to and consequences in place for non-adherence so alerts are not missed or ignored. this all come down to your security framework, policies and procedures. Make sure you use a robust security framework and audit on a regular basis to ensure it is keeping you and your information safe.

 

Case Two

In recent history a large payment processing company was thrust into the limelight as it became the victim of a large data security breach. The real figure regarding the data loss has never been established, however the figure may be in excess of 10 million cardholders details.

The Malware that was used stole and stored the data and was activity on the systems for four months at a time.

From this case we can see that just being compliant with regulations such as PCI DSS just wasn't enough it can only take an organisation so far.

The breach was committed via a SQL injection attack on the organisation's website. The company was alerted to this and made measures to eradicate the malware.

Approximately six months later, the malware made a migration form the corporate network to the companies payment processing network. All of this was going on whilst the company was completely unaware.

Another six months down the line the company discovered they may have an issue based on external information fed to them from one of the major credit card companies. no less than three forensics firms hired by the payment processing company analysed the organisation's networks. All three reported the system was malware free.

As we move on another three months eventually the organisation's staff found the malware.

What steps did the company take next

The organisation went against the advice of their lawyers who advised a minimal level of disclosure regarding the breach. However the organisation deciding to be full and open in line with there trading ethos made a full disclosure. The company paid a hefty price for this. In the two weeks after the disclosure their stock price fell 78% and the company lost 5000 of its 250,000 clients. The organisation was delisted by the major credit card brands.

The total monetary cost of the breach

The organisation suffered 170 million in losses. 20 million was covered by their insurance leaving a net loss of 150 million. This is not including the reputational loss etc.

 

What can we learn from this?

An organisation can not simply rely on firewalls and adequate perimeter security alone.

This organsation did not have an incident response plan in place to deal with such an occurrence. if the plan would have been in place this may well have been taken more seriously earlier on in the breach.and the responses well thought out and in line with policies.

The malware moved between network due to human error, security awareness training is a must for all of your employees, providing this would hopefully have contained the malware and the breach would have never occurred.

This organisation was nowhere near aggressive enough it its data security. the security of the data is paramount and simply conforming to compliance is not enough.

This breach could have been avoided if the organisation had tested its security much more vigorously and acted upon those test results implementing tighter security and having plans for any incidents or breaches. This company now actively pursues a much more aggressive and comprehensive security strategy. Don't rely on compliance to think your organisation is safe. It is your responsibility don't pay the price like this organisaiton did.