It just keeps happening. One retailer after another — Target, Dairy Queen, Kmart and now Home Depot — has been victimized by malware designed to steal credit card data and other sensitive consumer information. According to Dark Reading, Home Depot has discovered that 53 million email addresses were stolen along with credit data, putting consumers at risk for financial spear-phishing attacks.
While much has been made about flaws in well-known operating systems and the types of malware used, such as the popular Backoff point-of-sale strain, the issue of stolen vendor credentials has been largely ignored. Yet every major breach comes with a predictable beginning: Stolen credentials are used to open tiny doors into a retailer’s network, giving malicious actors the in they need to target high-level corporate systems and payment gateways. Is this retail’s real problem?
Common Thread: Stolen Vendor Credentials
According to The Wall Street Journal, Home Depot has confirmed that cybercriminals breached its systems in April with a stolen vendor password. Though the company has declined to name which vendor, it is carrying out an internal investigation.
“Data security just wasn’t high enough in our mission statement,” said former CEO Frank Blake.
Once inside the third-party network, cybercriminals jumped across to the company’s secure system by way of a Windows flaw, then targeted 7,500 self-serve terminals that were clearly marked as payment gateways. The relative ease of Home Depot’s breach has many companies running scared, looking for ways to beef up their security and detect malicious activity before it becomes front-page news. However, there is a problem: Even the most advanced security systems in the world are hard-pressed to defend against legitimate access. So long as credentials are being stolen, used and not reported until long after the fact, standard security measures won’t be effective.
Home Depot isn’t alone. PCWorld notes that Target’s infamous breach also began with stolen vendor credentials from a heating and ventilation contractor in Pennsylvania. Stolen credentials started the domino effect for the Kmart and Dairy Queen breaches, as well.
“A third-party vendor’s compromised account credentials were used to access systems,” John Gainer, CEO of Dairy Queen, said in a prepared statement.
The bottom line? All it takes is one account, one set of legitimate-looking credentials and a vendor that isn’t up-to-date with its data security or doesn’t notice the internal breach. Once cybercriminals have a foot in the door, getting them out becomes a challenge.
And Stay Out!
So what’s the solution? One option is for retailers to keep everything in-house, but in a world where cloud-based outsourcing is the new norm, this is an expensive and time-consuming prospect, even when it comes to security. SC Magazine offers a few suggestions, such as mapping sensitive data, evaluating risk on a per-vendor basis, building security assurances into vendor agreements to be clear about what’s expected and creating an incident response plan with responsibilities on both sides. Ultimately, however, it all comes back to the words of Blake: Data security can’t just be high on the mission statement, it needs to be first.
This means looking at data in a new way and treating information like a physical resource instead of a virtual one. Do retail companies need to know their vendors inside and out? Absolutely. Should they be more diligent about malware scans and patching OS vulnerabilities? Of course. But that’s just the beginning. Data security is no longer defined by who accesses information or where it goes, but rather why. Third-party vendor breaches will continue to happen. Their impact will be measured by retail companies’ ability to detect not just legitimate logins, but strange behaviors in real time and develop holistic systems that don’t allow payment systems to act as islands.
Stolen vendor credentials are the root cause of big retail breaches. To burn them out, data security must evolve.
Image Source: Flickr