Cycling retail giant Wiggle (revenue over £400m) has made a statement on Twitter after it received hundreds of complaints from customers about fraudulent purchases made on their account. The retailer has been forced to make a statement on Twitter to its customers.
— Wiggle (@Wiggle_Sport) June 16, 2020
This attack really proves that they ‘hacker in a hoodie’ days are over – whoever has been using these credentials clearly enjoys their cycling. According to Wiggle’s statement, it looks as though these credentials were acquired through a data breach outside of Wiggle’s systems, so it happened to another company. This just goes to show how fruitful a successful hack can be for cybercriminals – they are able to gain access to all sorts of accounts as users will typically use the same email address and passwords for multiple services, even their work machines, which means it might be possible for hackers to not only access huge amounts of personal data, but also business-related data from a single breach.
Many users know not to use the same password for multiple accounts, and to change them regularly – it is training 101. However, breaches of this nature just go to show how ineffective training can be as users will simply ignore security protocol if it gets in the way of productivity. Instead of forcing users to comply with security protocols that do not work for them, CISOs should be speaking to their users and assessing which individuals are ignoring their training and posing a high amount of risk to their organisation and why. They should then be developing security practices that work for both sides and enable users to carry out their jobs without security constantly getting in the way, otherwise they will simply ignore their training and use the same insecure password.