OxoInternational, ahomeware, office supplies, and kitchen utensil manufacturer has disclosed a two-year long breach that exposed customer details in a Magecart like attacks.
Experts comments below:
Robert Capps, VP and Authentication Strategist at NuData Security:
“Once data has been stolen, it’s used in a number of ways, including account takeover and identity fraud. More recently, we’ve seen a change in the value of stolen data as more and more intuitions are implementing user authentication solutions that render stolen data valueless. The loss of credit card data is a worry for all organisations, not just the targeted company. The data lost has the potential to be lucrative in the hands of cybercriminals, who can use the card number and CVC to accurately mimic the legitimate customer in order to make fraudulent purchases, or facilitate further cybercrime. By using security layers with behavioural analytics and passive biometrics, businesses can look across multiple aspects of the user’s interaction, instead of relying solely on the username, password and other static data which could have been stolen. Such techniques devalue phishing attacks and other techniques to extract data from legitimate consumers, as this is not enough to access a victim’s account or make illegitimate purchases. Additionally, it creates a dynamic and intelligent authentication solution that is seamless, frictionless, and un-obtrusive to end users.”
Israel Barak, Chief Information Security Officer atCybereason:
“TheOXOInternational breach once again sheds light on the real challenge companies face protecting the proprietary information of their customers that is their backbone. In the bigger picture, for law abiding organisations likeOXOthat are having difficulty protecting data, the scales won’t be tipped in their favour until all global 1000 companies start deploying technologies to eliminate the possibility of adversaries hiding in networks for large periods of time. Working with cybersecurity experts that specialise in threat hunting is a must today.
Today, the security spend for enterprises should be about the quality of the budget spend. It is no longer acceptable to allocate resources to antiquated products that protect against yesterday’s threats. Those technologies should be ripped out and thrown away with the bathwater. And for the consumer, they should be working under the assumption that their personal information has been compromised many times over. As an industry until we can start making cyber crime unprofitable for adversaries they will continue to hold the cards that will yield potentially massive payouts.”
Felix Rosbach, Product Manager at Comforte AG:
“This is yet another example of what we’ve been seeing for years now. If you have to manage an enterprise with a complex network, complex web pages and an ever-expanding attack surface, it’s becoming exceedingly difficult to protect yourself against targeted attacks. This is especially true for online retailers, which not only process a huge amount of data but also need very sensitive data to process orders and online payments. Unfortunately, this makes online retailers a very attractive target for threat groups and hackers.
The famous quote, “know your enemy and know yourself, then you will not once be defeated in a hundred battles” sounds good in theory, but in practice, it seems to be impossible to know your enemy at all. Hackers always seem to be one step a head.In addition, most companies are shocked when they find out that the average time it takes to detect a breach is 170 days. Nowadays it seems to take even longer when looking at the most recent breaches – meaning OXO is not alone – stating that the breach may have exposed customer information over the course of two years.
Bearing that in mind we have to conclude that cybersecurity is not only about preventing breaches. More importantly, you must protect the data & privacy of your customers by protecting their data at the earliest possible stage. Furthermore, it is important to have a well-trained incident response team that is prepared to react whenever a breach happens.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.