Stories about otherwise sophisticated companies losing track of sensitive data like customer and employee data and credit card information are common enough that they barely warrant mention. The common thread in those stories is often the work of shadowy cyber criminal groups.
Since the beginning of the year, for example, we’ve seen leading healthcare companies like Anthem and Premera fall victim to sophisticated attacks that made off with healthcare and financial information on millions of patients and family members. Similarly, just last week the IRS acknowledged that more than 100,000 taxpayers were victims of identity theft in which unknown assailants, believed to be located in Russia, manipulated an IRS web site to obtain taxpayer information and electronically file fraudulent returns.
But a story from down under this week reminds us that sometimes – and maybe more often than we know – companies do a perfectly good job of shooting themselves in the foot.
I’m referring to the note that Australian grocery giant Woolworths leaked more than AU$1 million worth of Groupon shopping vouchers – close to 8,000 vouchers in total – to the public, resulting in fraudulent transactions that drained the value of many of the cards before their rightful owners could use them.
The leak happened when a spreadsheet of redeemable codes for gift cards, offered by the online service Groupon, were accidentally e-mailed to more than 1,000 customers who had purchased the cards, valued at between AU$200 and AU$100. The spreadsheet contained the customers' names and email addresses as well as the voucher amount. The total value of the vouchers was AU$1,308,505. Woolworths blamed the leak on a “technical fault with an e-voucher.”
We don’t know exactly how the spreadsheet was leaked to customers. But, in fact, the technical aspects of this breach don’t warrant much comment. While we might not know exactly how the list of eCards and their owners was leaked, all of us understand how you might accidentally e-mail a spreadsheet containing sensitive information to a list of people.
But the Woolworths “breach” underscores the difficulty of managing security and privacy in fast evolving sectors like retail, where the intersection between traditional “brick and mortar” operations like supermarkets and Internet-based services like Groupon, or Woolworths' own Woolworth Money and eGiftCards services, which allow customers to buy and send physical and electronic gift cards.
Companies rightly see such business partnerships and spin offs as a way to provide desirable services to customers and to broaden their relationship with them. But in providing convenience, they also provide anonymity and reduce friction. It is no surprise, then, that cyber criminals are often among the first to take note of such offerings and, when possible, to find a way to game them.
At the very least, such services put the onus on companies to closely monitor and secure such offerings from end to end. That includes scrutiny of the online services that will be the “front door” for customers. The IRS learned that lesson the hard way, after cyber criminals figured out an easy way to game an e-filing web site using data on taxpayers obtained in the cyber underground. The Woolworths case reminds us that organizations also have to scrutinize the infrastructure and workflows that support those services behind the scenes, looking for openings that would allow a malicious actor to game the system or a well-meaning employee to inadvertently expose customer data.
That’s a lesson that Woolworths learned at some great expense this week.
Dan Geer on How to Mitigate the Risk of Insider Threats
Dan Geer explains how to apply the reference monitor concept to mitigate the risks presented by insiders.
Related ArticlesWith $10M Settlement, Target Looks to Shrug off Breach Costs
Target is well on its way to shrugging off the largest data breach in history, as the company agrees to pay $10M into an escrow account for victims.Friday Five: 12/22 Edition
Catch up on the week's infosec news with this recap!For Data Thieves, the Internet of Easy Pickings
Leaks of data from the U.S. Military’s Special Operations Command (SOCOM) show that many data breaches are just a matter of picking low hanging fruit.