The nonprofit American Payroll Association (APA) notified members and customers of a data breach resulting from a web skimmer on its website login and online store checkout pages. The Association and its 121 local chapters organize training seminars and events that are attended by more than 36,000 yearly.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Government acquisition and supply contracts are a complex issue. Every organization needs to balance capability, cost, and security, when they\’re buying new hardware or software, but buyers in the Federal space have National Security concerns that civilian agencies don\’t have to consider. Hopefully, this new guidance from OMB (Office of Management and Budget) will provide a transparent and consistent way to assure resources acquired through the Federal supply chain remain secure.
The American Payroll Association breach shows a number of places where the industry as a whole still needs to do a better job. Attackers were apparently able to leverage a flaw in APA\’s content management system (CMS) or a compromised admin account to place their skimmer. If it was a CMS flaw, it shows that security holes aren\’t being patched in a timely fashion. Whether it was because the flaw was undetected, the patch hadn\’t been released, or an existing patch hadn\’t been applied, the result is the same.
APA was able to identify this attack in under 90 days, which is an improvement over previous years in reducing attacker dwell time, but is still much too long. Better analytic tools could have mitigated the situation by recognizing the behaviors associated with an attack, both on the affected servers and in user activity with stolen credentials.
Separately, the US Office of Management and Budget today issued the Federal Acquisition Supply Chain Security Act and a request for comments (open through Nov. 2, 2020) designed to control who supplies the US Federal government with technology and technology services. The Act is intended to help curtail procurements from vendors and organizations that may pose a threat to national security.