Raconteur

Future of Ecommerce 2020

Issue link: https://raconteur.uberflip.com/i/1264436

Contents of this Issue

Navigation

Page 14 of 15

R A C O N T E U R . N E T 15 5 4 As if being breached once wasn't bad enough, blender manufacturer NutriBullet was hacked three times in less than a month. In this elab- orate ecommerce fraud, Magecart hackers first installed malware to steal credit card details on the com- pany's website on February 20. The skimmer was removed on March 1, after security experts identified the threat and took down the hackers' exfiltration domain, only for a second one to be inserted on a different part of the site on March 5. That too was soon detected and the new domain was removed. However, in a matter of days a third skimmer was implanted on March 10, again on another section of the site, and it too was discovered and taken down a week later. NutriBullet carried out an inves - tigation to determine how its JavaScript code was compromised and updated its security policies and British Airways was hit with a record £183-million fine from the ICO after around 500,000 of its cus- tomers had their data harvested by hackers who breached its security systems. Users who booked flights through the airline's website and app were diverted to a fraudulent site where their personal details were siphoned off. Up to 40,000 Ticketmaster custom- ers had their personal information stolen after hackers gained access to it through malicious software inserted in a customer support prod- uct hosted by third-party provider Inbenta Technologies. The breach compromised data belonging to those who tried to buy tickets on its website between February and June 23, 2018 and may have included names, addresses, telephone num- bers, email addresses, payment and login details. Digital bank Monzo claimed to have spotted the signs of a breach on April 6 after around 50 of its custom- ers reported fraudulent activity on their accounts and after investigat- ing found many of those affected had used their cards on Ticketmaster's website. Monzo presented its find- ings from this sophisticated ecom- merce fraud to Ticketmaster, but Stay one step ahead of the hackers You're never too big to get hacked Make sure your third- party vendors are secure credentials accordingly, adding mul- ti-factor authentication as an extra layer of protection. But serious ques- tions have to be raised about how the hackers were able to infiltrate the site again so easily after the initial attack. Around 380,000 transactions, including names, addresses, logins and payment card details, were accessed in this large-scale ecom- merce fraud, which happened between August 21 and September 5, 2018. The problem was down to a vulnerability in the third-party Modernizr JavaScript installed on the website, which hadn't been updated since 2012. BA notified all customers affected immediately and has agreed to com- pensate them for any losses. It has after looking into it, the event tick- eting firm said it could find no evi- dence of a breach. Ticketmaster informed the ICO and notified all customers affected, advising them to reset their pass- words. However, a group of 650 peo- ple are suing the company for £5 million, claiming they have suffered 3 "The message is clear: hackers are learning from past attacks to stay one step ahead, so it's up to the secu- rity community to do the same," says RiskIQ's head of threat research Yonathan Klijnsma. also fully co-operated with the ICO investigation and made improve- ments to its security. The airline announced its intention to appeal the penalty, which was the first to be made public under the General Data Protection Regulation. "The lesson here is that if a big com- pany like this can get hacked then anybody can get hacked," says Max Heinemeyer, director of threat hunting at Darktrace. "Now it's a matter of when, not if, you are going to be breached." "multiple fraudulent transactions" and "significant stress". "One essential lesson organisations should take from such recent incidents is that our cybersecurity is only as good as our third-party vendors' secu - rity and compliance," says CyNation's chief technology officer and chief security officer Shadi Razak. Neil Setchfield/Alamy Stock Photo IanC66/Shutterstock Chrisdorney/Shutterstock

Articles in this issue

Links on this page

Archives of this issue

view archives of Raconteur - Future of Ecommerce 2020