An alarming number of major U.S. retailers, industrial firms, government agencies and other organizations have been hit in a recent wave of cyberbreaches that may signal increasing vulnerability for consumers and businesses alike.
The attacks have exposed millions of consumer payment cards to fraud. Cyberthieves have used a variety of methods to infiltrate corporate computer systems and resell financial data on the Dark Web.
What is particularly worrisome is that in the aftermath of the high-profile intrusions during the 2016 presidential election and the massive ransomware attacks of 2017, there seems to have been little to no movement in developing comprehensive strategies.
It appears that many major U.S. institutions have been maintaining the status quo instead of implementing new measures to protect critical financial and personal information from determined adversaries, whether criminal cybergangs or rogue nation states.
“U.S. companies and organizations are woefully underprepared to deal with modern attacks like this — and the problem is simply exacerbated by the amounts and access to personal data these companies and institutions store,” said Kevin O’Brien, CEO of GreatHorn.
The personal data stolen in past attacks enhances the efficacy of future attacks, he told the E-Commerce Times. Executive impersonation scams, for example, have risen 300 percent over the past year.
Nearly one in three executives have fallen victim to these type of attacks, either by clicking links in suspicious emails or by having their names and emails spoofed and used in propagating future breaches, GreatHorn has found.
Orbitz, Under Armour
Travel website Orbitz on March 20 announced that credit card data belonging to 880,000 customers on a legacy platform might have been accessed by an attacker between Oct. 1 and Dec. 22, 2017, according to spokesperson David McNamee.
After bringing in a leading third-party forensic team and notifying law enforcement, Orbitz determined that the attacker might have accessed data for trips purchased between Jan. 1 and June 22, 2016, on its legacy site and purchases on its legacy partner platform for trips purchased from Jan. 1, 2016 to Dec. 22, 2017.
The compromised information included names, credit card numbers, dates of birth, email addresses, physical addresses and gender. The company did not disclose how the attackers accessed the data. Orbitz has offered customers a year of free credit card monitoring in response.
Under Armour on March 29 announced that 150 million accounts using the MyFitnessPal food and nutrition app had been compromised due to an unauthorized third-party having gained access to user data sometime in February.
The breach, which was discovered on March 25, involved usernames, emails and hashed passwords, but not credit card, driver’s license or social security numbers. Under Armour called on data security firms and law enforcement to address the breach and has notified customers via email or using the app.
Under Armour was notified of the breach by a white hat researcher, and the cause is still being investigated, according to an official familiar with the company who asked not to be identified. He said that how the attackers got into the system was unknown.
No customers have reported being compromised by the attackers, the source said, which could be due to the short window between the discovery of the breach and the disclosure. The company has urged customers to change their passwords.
Boeing, Saks, Sears, Delta
Boeing in March was hit by a cyberattack that reportedly was a variant of the WannaCry ransomware. The attack impacted a North Charleston, South Carolina, production facility, according to The Seattle Times.
Boeing on March 28 confirmed that its cybersecurity systems had detected a “limited intrusion of malware,” but remediations were applied, and the incident was “not a production or delivery issue.”
Media reports overstated its impact, the company said.
“We identified and assessed a minor issue and quickly applied the appropriate fix with a software patch,” said Linda Mills, vice president of communications at Boeing. “It was limited to a small number of machines within our commercial airplane businesses — not defense or services.”
There was no interruption to aircraft production or delivery, she added.
Boeing has not said whether the malware was WannaCry or any type of ransomware.
Despite the potential link to WannaCry in the Boeing case, and links to SamSam in a recent attack on the city of Atlanta, ransomware attacks actually have been on the decline as a cybercrime tactic as the demand for virtual currency has skyrocketed.
“Cryptomining is more profitable since people never know they are infected and work for the attacker longer,” noted Craig Williams, director of outreach at Cisco Talos.
“It’s also less likely to be pursued by law enforcement since it isn’t very destructive in nature,” he told the E-Commerce Times.
One of the most recent major breaches exposed the credit card data of 5 million customers of Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor, all subsidiaries of Hudson’s Bay Company. Its other brands were not impacted.
A JokerStache syndicate on March 28 announced that it had 5 million stolen credit and debit cards for sale on the Dark Web, according to a post by Gemini Advisory, a cybersecurity firm.
The card theft dated back to May 2017 and likely involved 83 Saks Fifth Avenue locations, mostly New York and New Jersey Saks and Lord & Taylor stores, Gemini Advisory said.
About 35,000 records of Saks Fifth Avenue and 90,000 records of Lord & Taylor customers already had been released by the syndicate, and Gemini Advisory expected more to be released over time.
Delta Air Lines and Sears Holdings on April 4 separately announced that they were the victims of a data breach at a customer service online chat platform called [24.7] a.i.
Sears said it was notified in mid-March about the incident, which involved access to credit card data of fewer than 100,000 customers between Sept. 27, 2017, and Oct. 12, 2017. However, customers using Sears-branded cards were not impacted. Sears said it immediately notified federal law enforcement, its banking partners and outside IT security firms, and that neither stores nor internal Sears systems were compromised.
Delta said it was notified by the same firm on March 28, and that certain payment data for a “small subset” of customers from Sept. 26, 2017, to Oct. 12, 2017, had been accessed. Federal law enforcement and outside cyberforensic teams were brought in to help investigate the incident. The airline launched a website, delta.com/response, to post updates.
Asleep at the Switch
“While each incident is different, the overarching theme is poor cybersecurity hygiene, or fundamentals,” said Andrew Howard, CTO at Kudelski Security.
“None of these attacks appear to be overly sophisticated, but rather take advantage of mistakes and human error to gain access,” he told the E-Commerce Times.
A common thread across major companies is that no one has been thinking proactively across different threat vectors, observed Manoj Asnani, vice president of product and design at Balbix.
“If we expect to see the problem minimized at any time in the near future,” he told the E-Commerce Times, “enterprises are going to need to find a better way to cover all of their attack surfaces, and fix key issues ahead of the next breach happening.”