Volusion Data Breach – Comments

By   ISBuzz Team
Writer , Information Security Buzz | Oct 10, 2019 05:43 am PST

It has been reported that hackers have breached the infrastructure of Volusion, a provider of cloud-hosted online stores, and are delivering malicious code that records and steals payment card details entered by users in online forms. More than 6,500 stores are impacted, but the number could be even higher. In a press release published last month, Volusion claimed it had more than 20,000 customers. The most notable compromise is the Sesame Street Live online store, which has been taken down earlier today after another journalist reached out. At the time of writing, the malicious code is still on Volusion’s servers and is still being delivered to all of the company’s client stores.

Notify of
5 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Deepak Patel
Deepak Patel , Security Evangelist
InfoSec Expert
October 11, 2019 8:27 pm

Magecart attacks compromise third-party vendor code to cast a wider net and harvest personally identifiable information (PII) from unsuspecting users. While Magento is the most targeted platform, we are now seeing Magecart attacks on platforms like Volusion. Website owners are highly dependent on e-commerce platforms like Magento and Volusion, but this can make their websites vulnerable to client-side attacks. While the British Airways and Delta Airlines data breaches get a lot of attention, it is clear that Magecart groups target businesses of all sizes and all industries. Such attacks will continue unabated until a majority of website owners focus on monitoring third-party code execution on their sites.

Last edited 3 years ago by Deepak Patel
Ilia Kolochenko
Ilia Kolochenko , Founder and CEO
InfoSec Expert
October 10, 2019 1:57 pm

One more sharp reminder about the immense security risks related to third-parties and cloud. Properly implemented continuous security monitoring could have prevented this incident, however, until the formal investigation is over it would be premature to make any conclusions. One thing is clear, Volusion, breached stores, their customers and banks that issued the compromised cards, are doomed for expensive and protracted litigation with numerous counter and cross claims.

Last edited 3 years ago by Ilia Kolochenko
Sam Curry
Sam Curry , Chief Security Officer
InfoSec Expert
October 10, 2019 1:54 pm

The Volusion card skimming breach is yet another wake up call to the industry and all cloud service providers to keep increasing cost to break, invest in making breach extent as contained as possible and for God\’s sake keep Bert and Ernie safe!

The best measure of practical security is cost to break, and the equation is simple: value of target divided by cost to break. If moving to the cloud made you more secure (i.e. made you more expensive to break) then being in a cluster with other valuable targets will make the other part of the equation go up too. In the calculation of the attacker, it\’s a question of when, not if, an attack is coming after the ratio crosses a certain point.

Last edited 3 years ago by Sam Curry
Leigh Anne Galloway
Leigh Anne Galloway , Cybersecurity Resilience Lead
InfoSec Expert
October 10, 2019 1:51 pm

While a website might appear to wholly belong to one brand to the consumer, in reality most websites include multiple plugins from different suppliers. This breach demonstrates the potential damage that can be done if just one trusted third party provider is compromised. In this case, Volusion has 20,000 customers, so 20,000 websites could potentially be compromised.

E-commerce sites are at particular risk to this type of attack, because of the highly valuable card data that third parties have access to, which makes them a target for hackers. However, it has to be remembered that more websites than you think now contain an e-commerce function. For example, this same Magecart attack technique was used to compromise British Airways last year.

While it is the third party that is at fault, it will be the company that owns the website that will ultimately be held responsible for any misuse of customer data. While pulling out plugins from a website isn\’t a realistic solution, all organisations should regularly run security assessments on their web applications to uncover vulnerabilities such as these and mitigate them quickly.

From the point of view of consumers who could be affected, they should closely monitor their bank statements for any unusual activity and alert their bank immediately if they notice any.

Last edited 3 years ago by Leigh Anne Galloway
Richard Walter
InfoSec Expert
October 10, 2019 1:47 pm

This is another case of a Magecart attack against a third party provider used by thousands of sites, rather than a specific store. In this case, hackers gained access to Volusion’s Google Cloud architecture and modified a Javascript file to include malicious code. In doing so, attackers may have gained access to all of the highly sensitive card data that Volusion has access to.

It’s not a new type of attack, we saw the same techniques used against British Airways and Ticketmaster last year. However, the big issue here is that hackers have gone after a third party used by thousands of websites. Already it is confirmed that 6,500 of the sites Volusion is used on have been compromised by attackers.

The use of cloud services is now ubiquitous and providers urgently need to gain security control over their services, as it is the companies using Volusion that will ultimately be held responsible. This hack goes to show that a failure to do so will cost organisations, and their customers, dearly.

Last edited 3 years ago by Richard Walter

Recent Posts

Would love your thoughts, please comment.x