Experts Comments On Kylie’s Cosmetics Security Incident

The Kylie’s Cosmetics has issued a statement to customers in relation to a security incident involving its eCommerce platform, Shopify.

Experts Comments

October 01, 2020
Tarik Saleh
Senior Security Engineer and Malware Researcher
DomainTools
We should expect more brands to get in touch with their customers notifying them about their data being compromised in the recent Shopify breach. Caused by two rogue employees, there was little that Shopify could have done to prevent this, other than perhaps vetting their new hires a little more thoroughly. Even so, however, the risk of something like this happening would not have been reduced down to zero. Kylie Jenner’s cosmetics company followed due process in informing its customers of.....Read More
We should expect more brands to get in touch with their customers notifying them about their data being compromised in the recent Shopify breach. Caused by two rogue employees, there was little that Shopify could have done to prevent this, other than perhaps vetting their new hires a little more thoroughly. Even so, however, the risk of something like this happening would not have been reduced down to zero. Kylie Jenner’s cosmetics company followed due process in informing its customers of this security breach. People whose data was stolen should now be careful about what they receive via mail. The last four digits of a credit card may not be used to steal funds, but could be a valuable piece of information for anyone looking to design a sophisticated spear-phishing type fraud.  Read Less
October 01, 2020
Lamar Bailey
Senior Director of Security Research
Tripwire
Insider threat is a very real issue that gets little attention. Support engineers are often an entry-level job so it is easier for someone to infiltrate the organization at this level. A bad actor looking to gain company data can easily use a fake identity to secure a job then use this position as a launching point for gathering data to sell on the black market. It is imperative that organizations have security controls in place for users, access, and file monitoring to look for employees.....Read More
Insider threat is a very real issue that gets little attention. Support engineers are often an entry-level job so it is easier for someone to infiltrate the organization at this level. A bad actor looking to gain company data can easily use a fake identity to secure a job then use this position as a launching point for gathering data to sell on the black market. It is imperative that organizations have security controls in place for users, access, and file monitoring to look for employees accessing systems, code, or data they do not need access to. A stance of least privilege for everyone is the best policy. With the current industry skills gap, organizations may not be as diligent as validating the background of new employees.  Read Less
October 01, 2020
Robert Byrne
Field Strategist
One Identity
If it was inappropriate for those staff members to have access to that data, then there was a failure to follow the least privileged principals. This can be corrected and automated by using Identity Management software. If they were correctly authorised to access the data, then security can be improved by tightening controls on bulk export tools and closely auditing the access. For high-risk data, we see more organisations requiring a PAM session to access the system. Security awareness.....Read More
If it was inappropriate for those staff members to have access to that data, then there was a failure to follow the least privileged principals. This can be corrected and automated by using Identity Management software. If they were correctly authorised to access the data, then security can be improved by tightening controls on bulk export tools and closely auditing the access. For high-risk data, we see more organisations requiring a PAM session to access the system. Security awareness training programs can then pass the message to staff: "Hey, where appropriate and for good reasons, we are watching your professional system activity". This has a powerful deterrent effect that helps reduce this type of data leak.  Read Less
October 01, 2020
Chris Hauk
Consumer Privacy Champion
Pixel Privacy
The Shopify data theft is only the most recent incident where employees stole customer data or committed an act against customers. We've seen it happen at Twitter, Instacart, and now Shopify. While Shopify says it has put in place additional controls to prevent something like this from happening again, it's another case of closing the barn door after the horse has bolted. Companies need to learn from what has happened at Shopify and Instacart, and make sure they have safeguards in place to.....Read More
The Shopify data theft is only the most recent incident where employees stole customer data or committed an act against customers. We've seen it happen at Twitter, Instacart, and now Shopify. While Shopify says it has put in place additional controls to prevent something like this from happening again, it's another case of closing the barn door after the horse has bolted. Companies need to learn from what has happened at Shopify and Instacart, and make sure they have safeguards in place to prevent these types of data breaches before they happen. Online merchant services have a duty to consumers to protect their data, especially now, when online shopping is on the upswing due to social distancing during the COVID-19 pandemic.  Read Less
October 01, 2020
Matt Aldridge
Principal Solutions Architect
Webroot
As Shopify has now learned the hard way, insider threats are real, and it is crucial that all organisations assess and mitigate the risk of internal agents going ‘rogue’. In this case, it should not have been possible for these support agents to extract such large volumes of data from the Shopify platform. It is important to have the proper policies, access controls, monitoring, and response plans in place to prevent and mitigate against this type of threat. Also, investing properly in.....Read More
As Shopify has now learned the hard way, insider threats are real, and it is crucial that all organisations assess and mitigate the risk of internal agents going ‘rogue’. In this case, it should not have been possible for these support agents to extract such large volumes of data from the Shopify platform. It is important to have the proper policies, access controls, monitoring, and response plans in place to prevent and mitigate against this type of threat. Also, investing properly in your team, including delivering security awareness training and other personal development, should help to reduce the chances of them going ‘rogue’.  Read Less
September 30, 2020
Jake Moore
Cybersecurity Specialist
ESET
Some of the biggest threats come from physical access to a network, which can be extremely difficult to protect against. Employees with both knowledge and access can be extremely damaging and can create more problems than external attacks, which highlights the importance of limiting user privileges where possible. Insider threats are a constant risk which businesses have always had to take a chance with. However, we are now seeing more remote working as well as new employees often never.....Read More
Some of the biggest threats come from physical access to a network, which can be extremely difficult to protect against. Employees with both knowledge and access can be extremely damaging and can create more problems than external attacks, which highlights the importance of limiting user privileges where possible. Insider threats are a constant risk which businesses have always had to take a chance with. However, we are now seeing more remote working as well as new employees often never physically meeting their employers, which accelerates the risks. Those affected must take care and remain vigilant when it comes to further phishing emails which may be sent as a result of this attack.  Read Less
September 30, 2020
Francis Gaffney
Director of Threat Intelligence
Mimecast
This breach appears to be the result of a possible malicious insider threat, with rogue/naïve employees allegedly stealing data from within. This kind of breach is actually more common than one might expect. Organisations, understandably, invest a lot of resources to stop hackers from outside their organisation from breaching security defences, but most have little protection against an insider threat such as this one. It is likely that the target was identified as a result of social.....Read More
This breach appears to be the result of a possible malicious insider threat, with rogue/naïve employees allegedly stealing data from within. This kind of breach is actually more common than one might expect. Organisations, understandably, invest a lot of resources to stop hackers from outside their organisation from breaching security defences, but most have little protection against an insider threat such as this one. It is likely that the target was identified as a result of social engineering, which are usually quite sophisticated attacks, and can involve substantial research on their intended target to craft specific bespoke lures, such as websites and tailored emails - referred to as pattern-of-life-analysis. The threat actor studies the target’s online presence, including their use of social media, to identify social and family networks, favourite restaurants, hobbies, sporting or musical interests, to better understand how the targets can be coerced into leaking data. An potential mitigation to this type of attack is to limit unnecessary access to sensitive data – access should only be via a need-to-know-basis – but if the attacker has conducted their research competently, they will have identified a target with the necessary access. Human error is required for these attacks to be successful, which highlights the importance of regular cyber training to increase employee awareness about such methodologies used by threat actors. Our State of Email Security report found 56% of organisations do not provide awareness training on a frequent basis, leaving businesses increasingly vulnerable. At the same time, appropriately managed access controls for administrative or supervisory accounts can assist in preventing the escalation of privileges, or abuse of permissions, that this particular attack relied upon. These need to change to prevent further successful attacks such as this one, that can have reputational damage for any company.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.