News has just surfaced that Cash Converters has been hit by a data breach. The company reported that it had:
“Received an email threat from a third party claiming to have gained unauthorised access to customer data within a Cash Converters’ United Kingdom website (‘Webshop’). The unidentified third party’s threat included the widespread release of the data unless it receives a financial payment.”
Cash Converters has reported the threat to the authorities in the UK and Australia, and has appointed security advisors to review its systems. Credit card data was not stored on the Webshop although hackers may have accessed user records including personal details, passwords, and purchase history. IT security experts commented below.
Javvad Malik, Security Advocate at AlienVault:
.
Andre Stewart, VP EMEA at Netskope:
“Wherever possible, organisations must make end users aware of basic cyber hygiene, steering them towards safe courses of action – including regular password updates. After all, each new hack can release a treasure trove of user details in the form of usernames, passwords and other information which can then be used to access other online services. When the same credentials are used across multiple accounts, these breaches can expose data in many different cloud apps and services at the same time. This creates a significant risk to the enterprise because passwords used in simple personal applications are all too often used for data critical applications at work.
“Businesses should also monitor credentials revealed in breaches and compare them to those used to access their services – across both the cloud and on premise. As critical data continues to spread beyond the traditional perimeter network, this vigilance will become increasingly important. If credentials are found to have been compromised in another breach, companies can prompt customers to change their details to ensure systems remain secure. Organisations should also monitor for unusual behaviour or usage patterns so that security teams can block intruders and protect sensitive data.”
Matt Lock, Director of Sales Engineers at Varonis:
When the EU General Data Protection Regulation (GDPR) kicks in next May, companies that handle information belonging to EU residents will have to adhere to a strict new set of guidelines. This case is a prime example of how organisations must adopt GDPR guidelines now and maintain best practices to secure their systems and lock down sensitive customer data.
With only months left remaining until GDPR kicks in, organisations are running out of time to take stock of how exposed their data is to attack. Had this attack occurred after GDPR kick in, Cash Converters would be facing stiff penalties. Ransomware and situations like this are the canary in the coal mine for organisations to reduce their risk profile by removing users that no longer need access and maintain a least privilege model to keep their data secure.”
Matthias Maier, Security Evangelist at Splunk:
Cash Converters must have the right response capabilities and processes in place to stifle the impact of malicious and highly destructive assaults. Working together with the authorities to investigate and analyse the digital fingerprints in logs the hacker may have left behind is now the right thing to do. This should help to identify and communicate to individuals the risks that they are exposed to, and also help Cash Converters to recover as a company from the security breach and monetary demands.”
Cash converters may have learned from the failings of those hacked before them when it comes to reassuring customers in the wake of a data breach, but it seems the important lessons concerning cyber security are yet to be learned.
It is yet again an avoidable vulnerability, as a result of sprawling IT systems, that has caused the data of consumers to find its way into the hands of hackers. It is up to businesses to change the mindset when it comes to cyber security and to implement coherent and comprehensive strategies that leave no data unprotected. The key to achieving this is giving CISOs the control they need, over budget and IT initiatives, to enable a Zero Trust security posture based upon user and application – rather than network – security. CISOs know watertight defences are virtually impossible, and can therefore define a security program that includes breach containment, using technology such as cryptography as the fabric to effectively segment the network to ensure we see the scale and scope of high profile hacks severely diminish.
Carl Leonard, Principal Security Analyst at Forcepoint:
“While the breach is only affecting customers on the company’s old website, there has never been more pressure on enterprises, regardless of sector, to preserve privacy while leveraging data for legitimate business purposes. The more sensitive the data, the greater the liabilities caused by a breach.
“Fundamentally, focusing too narrowly on a single scenario can prevent companies from seeing the full spectrum of risk they face, with dire consequences. Companies need to adapt and update legacy defenses with modern, human-centric approaches that look at how and why data is accessed and by whom; this intersection of users, data and systems can become the critical point for effective security and compliance. In doing so, businesses can protect their customers and, crucially, their reputation against the ever increasingly threat of cybercrime.”