The Kylie’s Cosmetics has issued a statement to customers in relation to a security incident involving its eCommerce platform, Shopify.
Kylie Jenner's make-up company warns of security breach compromising customer data https://t.co/YHWQLoNZPf
— BBC News (World) (@BBCWorld) September 30, 2020
We should expect more brands to get in touch with their customers notifying them about their data being compromised in the recent Shopify breach. Caused by two rogue employees, there was little that Shopify could have done to prevent this, other than perhaps vetting their new hires a little more thoroughly. Even so, however, the risk of something like this happening would not have been reduced down to zero.
Kylie Jenner’s cosmetics company followed due process in informing its customers of this security breach. People whose data was stolen should now be careful about what they receive via mail. The last four digits of a credit card may not be used to steal funds, but could be a valuable piece of information for anyone looking to design a sophisticated spear-phishing type fraud.
Insider threat is a very real issue that gets little attention. Support engineers are often an entry-level job so it is easier for someone to infiltrate the organization at this level. A bad actor looking to gain company data can easily use a fake identity to secure a job then use this position as a launching point for gathering data to sell on the black market. It is imperative that organizations have security controls in place for users, access, and file monitoring to look for employees accessing systems, code, or data they do not need access to. A stance of least privilege for everyone is the best policy.
With the current industry skills gap, organizations may not be as diligent as validating the background of new employees.
If it was inappropriate for those staff members to have access to that data, then there was a failure to follow the least privileged principals. This can be corrected and automated by using Identity Management software. If they were correctly authorised to access the data, then security can be improved by tightening controls on bulk export tools and closely auditing the access. For high-risk data, we see more organisations requiring a PAM session to access the system. Security awareness training programs can then pass the message to staff: \”Hey, where appropriate and for good reasons, we are watching your professional system activity\”. This has a powerful deterrent effect that helps reduce this type of data leak.
The Shopify data theft is only the most recent incident where employees stole customer data or committed an act against customers. We\’ve seen it happen at Twitter, Instacart, and now Shopify. While Shopify says it has put in place additional controls to prevent something like this from happening again, it\’s another case of closing the barn door after the horse has bolted.
Companies need to learn from what has happened at Shopify and Instacart, and make sure they have safeguards in place to prevent these types of data breaches before they happen. Online merchant services have a duty to consumers to protect their data, especially now, when online shopping is on the upswing due to social distancing during the COVID-19 pandemic.
As Shopify has now learned the hard way, insider threats are real, and it is crucial that all organisations assess and mitigate the risk of internal agents going ‘rogue’. In this case, it should not have been possible for these support agents to extract such large volumes of data from the Shopify platform. It is important to have the proper policies, access controls, monitoring, and response plans in place to prevent and mitigate against this type of threat. Also, investing properly in your team, including delivering security awareness training and other personal development, should help to reduce the chances of them going ‘rogue’.