In a new blog post, researchers Sagie Dulce and Michael Cherny from Imperva’s Application Defence Centre (ADC) team, take a close look at the recent data breach against Loyaltybuild.
Key take outs from the blog post include:
• As ‘sophisticated’ as this breach might prove to be, a simple monitoring of data records could have alerted security personal and might have prevented this breach. Most would agree that copying a million records is worth opening a ticket to IT Security team.
• After the MongoHQ breach we advised that customers take responsibility for their sensitive data and know how their business partners are securing it. In the Loyaltybuild case, customers agreed to share too much, in plaintext, with no guarantees. When using third party services businesses should share the bare minimum of information with their partners. This is particularly true of sensitive information.
• In both cases, simple encryption of the sensitive data might have minimized the fallout. Moreover, in both cases customers were way too trusting with their service provider. Whether a cloud-based startup or an established business like Loyaltybuild, customers need to protect themselves and not assume their service providers will do the job for them.
The full blog post can be found here