It was announced that pharmacy chain CVS has taken down its online photo center CVSphoto.com, replacing it with a message warning that customer credit card data may have been compromised. The incident comes just days after Walmart Canada said it was investigating a potential breach of customer card data at its online photo processing store.
The same processor serves Costco and other major retailers so the breach has potentially huge impact. Cybersecurity experts from Lastline, Lieberman Software, Proficio, Securonix Tripwire had the following reactions:
Brian Laing, VP, Lastline (www.lastline.com):
“Companies themselves are often great targets for attack. However attackers can save themselves a great deal of time and effort targeting aggregation points. This is an example of that type of attack. When looking at a company’s security they must be sure of their entire supply chain. Which includes assuring that other connections into the supply chain are also protected. This appears to be a case where data may not have been adequately segmented. Attackers were able to get in through first one connection (which may not have been CVS) and then use that access to possibly gain access to information from the other related vendors using the supply chain vendor.”
Philip Lieberman, President, Lieberman Software (www.liebsoft.com):
“The board of directors will yet again have to explain to their respective CEO and CIOs their role in protecting their infrastructure in cyber space. Unfortunately, these are companies lacking in significant operational cyber-defense capabilities and lack the culture to implement them.
As a potential vendor to CVS and Staples, we have found both to be highly resistant toward implementing significant mitigations to their IT security weaknesses. After enough fines and turnovers in the executive suite, we expect them to eventually purchase our products and stop the consequences of these intrusions. Or, maybe not. They join the parade of Target, Home Depot and others that are unable to implement real IT security.
Hopefully the US Government will step in with draconian measures that will either straighten out the incompetency of these IT shops or shut them down as no longer viable companies. The technology to stop these types of intrusions has been available for a very long time, but these companies refuse to buy and use it and instead abuse their customers to make a fast buck. Here come the lawyers.”
Brad Taylor, CEO, Proficio (www.proficio.com):
“You are only as strong as your weakest link and this applies equally to business associates that represent your brand. Exploiting weaknesses in the security of a partner and pivoting the attack to steal corporate data is a proven strategy in a hacker’s playbook. In this case, we do not know if the data breach was limited to the independent vendor. Any retailer with credit data has a target on their back and must monitor the systems on a 24×7 basis for any sign of suspicious behavior.”
Igor Baikalov, Chief Scientist, Securonix (www.securonix.com):
“An organization’s security is only as strong as its weakest link, and third-party vendors are often that link. As with Goodwill, Lowe’s, Dairy Queen, Home Depot and Target, breaches at both CVS and Walmart Canada photo sites are likely to be traced to the third-party vendor. As we’ve seen with Home Depot and Target settlements, the losses from the data breach can be substantial. What’s different about these recent breaches though is that there’s a good chance that the vendor might be found liable, similar to the Alpine Bank case, where cyber insurers went after the service provider, Ignition Studio. The new PCI Data Security Standard, PCI DSS 3.0, specifically calls out the risk of third-party vendors, but it only covers payment data, and businesses are still struggling to implement it. The most recent version of the PCI DSS, 3.1, that was issued on April 15, 2015, explicitly places liability for the security of the cardholder data on the service providers.”
Tim Erlin, Director of IT Security and Risk Strategy, Tripwire (www.tripwire.com)
“Recent breaches have moved third parties that provide payment services to the forefront of information security teams. While outsourcing may provide a reduction in cost to the business, the potential risk has to be part of the overall calculation. In these cases, where credit card data has been stolen from a third party vendor, it’s the major brand that hits the headlines.
Retailers should expect that payment system vendors step up their game on security. Better assurance is fast becoming a competitive differentiator and desirable feature in the point-of-sale market.”
Dwayne Melancon, CTO of Tripwire (www.tripwire.com) offers tips for consumers concerned they may be potential victims of a retail credit card data breach:
“Constant vigilance is the watchword for cybersecurity. Individuals who are affected, or potentially affected, should freeze their credit reports immediately with the three major credit bureaus – Equifax, Transunion, and Experian – to reduce the risk that anyone can open new lines of credit in their names.
This is also a good reminder that you shouldn’t use any of your personally-identifiable information as answers to your “secret questions” to validate your identity online. Make up your own questions and answers, or use answers that are fictitious but memorable to you to prevent criminals from guessing their way into your online accounts.
Finally, beware of any emails or calls regarding this incident as they are almost certainly fraudulent – and be on the lookout for potentially fraudulent requests for information requested by mail as well, remember, the criminals have mailing information. Trust, but verify.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.