Back to qualys.com
Juan C. Perez

Vendor Risk Bites Sears, Delta and Best Buy, while Saks, Lord & Taylor Deal With Breach

Data breaches dominated the cyber security headlines last week, as Sears, Delta, Best Buy, Saks, and Lord & Taylor all found themselves in the news.

Sears, Delta and Best Buy: Another vendor risk incident

What do retail giant Sears Holdings, consumer electronics chain Best Buy and Delta Air Lines have in common? A customer service contractor that got hacked, compromising an undetermined number of their customers’ payment card data.

The contractor, called [24]7.ai, got breached in late September of last year, and discovered and contained the incident in mid-October. The company, which provides customer support for a variety of clients via online chats, didn’t offer details about the cause or nature of the hack in its brief statement issued Wednesday.

In its statement, Sears estimated the number of its potentially affected customers at under 100,000, and said that [24]7.ai informed it about the breach in mid-March of this year. Meanwhile, Delta said it was notified on March 28, and that it believes a “small subset” of its customers’ data was exposed, although it can’t say for sure whether the information was accessed or compromised. Best Buy said “a small fraction” of its customers may have been impacted, regardless of whether they used the chat function, according to USA Today.

It’s the latest in the recurring problem of vendor risk, in which an organization’s information security is compromised after a trusted third party — contractor, supplier, consultant, partner — suffers a breach.

In an interview with ThreatPost, Fred Kneip, CyberGRX CEO, said the  [24]7.ai breach shows the level of interconnectedness among companies’ digital ecosystems and “why attacks on third parties are so prevalent.” Meanwhile Zach Allen, ZeroFOX’s director of Threat Operations, highlighted the importance “for large companies that ship data to third parties to be vigilant and persistent on the security postures of their vendors.”

One of the most notorious examples of this was the Target’s massive data breach in 2013, in which hackers stole login credentials to one of the retailer’s billing systems from one of its air conditioning contractors. Other well-known companies hit due to a third party’s breach include Boston Medical Center, California State University, T-Mobile and Wendy’s, to name just a few.

For more information about vendor risk, you can read some of the articles we’ve published about the topic on the Qualys blog:

Countdown to GDPR: Assess Vendor Risk

Are Your Vendors, Partners and Other Business Allies Putting Your Organization at Risk?

Assessing Risk from Vendors and Other Third Parties Is Key to Business Success

To Gauge Risk from Third Parties and Employees, Scalability and Automation Are Essential

Lasso In Employee Training, Vendor Regulatory Compliance with Automated Risk Assessments

Saks, Lord & Taylor hack undetected for 10 months

Hackers stole payment card information from 5 million Saks Fifth Avenue and Lord & Taylor customers over the course of almost a year, according to security researcher Gemini Advisory.

The firm arrived at its conclusion after it investigated an announcement from the JokerStash hacking syndicate, that it had account data on 5 million debit and credit cards for sale.

“In cooperation with several financial organizations, we have confirmed with a high degree of confidence that the compromised records were stolen from customers of Saks Fifth Avenue and Lord & Taylor stores,” reads a Gemini Advisory statement. “We estimate the window of compromise to be May 2017 to present.”

The hacker group, also known as Fin7, is responsible for major breaches at many organizations including Whole Foods, Chipotle, Omni Hotels & Resorts and Trump Hotels.

“With the declared number of compromised payment cards being in excess of five million, the current hacking attack is amongst the biggest and most damaging to ever hit retail companies,” the research firm said.

Apparently, the POS (point of sale) systems at the impacted stores were compromised, allowing the cyber thieves to steal the payment card data during transactions.

Gemini Advisory told The New York Times that the attack likely started with hackers sending phishing emails to HBC employees, which allowed them to compromise internal systems and install malware on stores’ check-out registers.

The retailers’ parent company, HBC, confirmed it’d been a victim of a breach and published an FAQ, although it didn’t provide details on the number of impacted customers, nor on the causes of the incident.

Panera Bread gets baking-hot criticism over neglected web vulnerability

Panera Bread is catching flak after reportedly failing to plug a security gap it knew about for many months, even though customers’ personal information was at risk.

Security researcher Dylan Hoilihan informed the U.S. bakery chain of a website vulnerability in August 2017 that he said made it possible to access full name, home address, email address, username, phone number, birthday and last four digits of a saved credit card.

About eight months later, Panera Bread had yet to fix the bug, so to spur them into action, Hoilihan informed security blogger Brian Krebs about the issue.

After Krebs’ article was published, Panera Bread finally took action, but a public kerkuffle ensued. The company downplayed the situation, saying no more than 10,000 customers may have been affected, while Hoilihan, Krebs and other independent experts such as Hold Security estimated the number of potential victims in the millions.

Moreover, upon closer inspection, Krebs reported on his Twitter account that Panera Bread’s initial fix was incomplete, and that the vulnerability, originally thought to affect only one segment of the Panera Bread website, was actually much wider in scope, a concern echoed by Hold Security.

In other security news …

  • Intel has narrowed the list of CPUs it plans to patch against the Spectre vulnerability, according to its latest update on its plans. “We’ve now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google Project Zero,” Intel in a statement to Threatpost. “However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback.” Sophos’ Naked Security blog also has a take on Intel’s decision.
  • There are about 1.5 billion — yes, with a “b” — files with about 12 petabytes of confidential information exposed publicly via the Internet on misconfigured servers, websites and other cloud services. That’s according to security researcher Digital Shadows. ZDnet has a rundown of the findings.
  • Many mobile apps for IoT systems are insecure, according to a study from Pradeo Security. “According to the research, an alarming 80% of the tested apps contained vulnerabilities, with an average of 15 flaws discovered per application,” reported independent security analyst Graham Cluley.
  • More than 95% of White House email domains lack basic protection against phishing and spoofing, according to a report from the Global Cyber Alliance.

Leave a Reply