It has been reported this morning that Whole Foods has been hacked- the popular grocery chain recently acquired by technology giant Amazon, suffered a data breach that saw hackers gain access to credit card data of customers who made purchases at some of its in-store taprooms and restaurants. IT security experts commented below.
Andrew Clarke, EMEA Director at One Identity:
“We are reading about the modern-day version of the bank raid – the challenge that presents itself is that on this occasion is by the time the organisation knows it has happened the criminals are long gone. Depending on the nature of the attack, even the fact that data has been stolen is often undetected for months. By that time, the victims extend well beyond the organisation itself, with personal credit card data being a desired target for the criminal. And this is not an unusual event, since each week we are reading a similar story that just keeps replaying itself with different actors but the same unfortunate outcomes.
While we don’t know the details yet behind the Whole Foods case, we do know through experience that although organisations are taking steps to safeguard confidential data, it is usually accessed by the attacker gaining administrative privileges – sometimes this is default admin credentials on an internet facing device & occasionally through data stored in the cloud. It can also start through an unpatched vulnerability being exploited to gain access to a specific system, where through lateral movement, the attacker can then gain access to more significant servers and on the way discover admin or privileged accounts that help them with the exploitation.
The end result is always the same – the attacker finds an open door; steps through and then gains increased access to systems until the goal is achieved and the data he desires is off-loaded for them to use. We do have security technologies available today that help to mitigate the risks. After scanning for vulnerabilities and ensuring that all systems are adequately patched; placing administrative passwords in a secure and trusted safe or electronic vault – referred to as privileged access management – the processes are then in place to mitigate the underlying risk that defend the domain from malicious attackers.”
Mark James, Security Specialist at ESET:
Another day, another data breach!
“Really!”- I hear you say “surely there is no data left to be hacked!?”
So much of our data seems to be leaking onto the internet that another load won’t make a lot of difference, right? Wrong.
Every single piece of our data that makes its way onto a criminals list or into a database, of our most precious, private data, is another attack vector for a malicious actor. Cancelling our credit cards is not hard- usually if we have not been completely negligent ,then getting the funds refunded is also not difficult- but trying not to get scammed, or be a victim of a phishing attack is not so easy!
Even though Whole Foods (WF) may not in themselves ring bells, when the email arrives their association with Amazon may be the big draw here. It’s quite probable we will see phishing attacks using both brand names trying to get you to follow the link or download something to “verify” your details. As with all cases like this, be very vigilant about keeping an eye on your finances- small transactions might just be criminals testing the card to see if it works. If you find anything out of the ordinary then contact your bank immediately.” IT security experts commented below.
Stephen Moore, Chief Security Strategist at Exabeam:
“Cyber attackers appear to have obtained access to some of Whole Foods Market’s POS systems, but it’s currently not clear how this occurred. One potential entry point, as seen in the recent Wendy’s breach, could be the use of stolen remote access credentials from a service provider, which would then be used to deploy malware onto the store payment systems.
As long as cyber criminals stand to gain from these attacks and the methods to detect and disrupt them don’t improve, they will continue to persist and succeed. To bolster their defences, businesses need a means to understand what normal user behaviour looks like, so there can be an early indication of compromise when unusual behaviours occur. This might include system access, beaconing, or file uploads. In many recent payment system attacks, customer credit and debit card information has been collected and removed, and this activity has remained undetected by the affected companies for some time.”
John Suit, CTO at Trivalent:
“The recent Whole Foods breach demonstrates the importance of rigorous transaction data protection technology to combat the growing sophistication of point of sale system attacks. To get ahead of these risks, retailers and businesses must understand that traditional encryption is no longer enough. Next generation data protection solutions are immediately needed to ensure protection of personally identifiable information such as credit card details. These solutions secure data at the file-level, keeping it safe from unauthorized users – even in the event of a breach.”
