The Debenhams Flowers website hack reveals the risk retailers take when conducting business online, while highlighting some useful lessons for future security.
It would be unfair to speculate on exactly how the Debenhams Flowers security breach, which compromised the details of 26,000 customers, occurred while the retailer is still conducting its own internal investigation.
But by partnering with Ecomnova, a company that owns and operates flower and gifting websites, Debenhams Flowers extended its online presence.
When extending their online marketing capacity to third parties, retailers should correspondingly extend their traditional security perimeters well beyond their internal security systems.
Even when streamlining their operations by utilising cloud service providers, retailers often expose themselves to more substantial risks, which should be managed as part of their security strategy.
Third-party vendors that are integrated into the retailer’s daily activities, such as billing, identity management and any other module used on the retail website, represent a soft underbelly in a retailer’s cyber security.
These are perceived as entry points by hackers. Retailers should therefore take immediate steps to invest in re-enforcing their supply chain’s cyber security.
Credential-stuffing techniques widely used by cyber criminals, such as hacking website Sentry MBA, also allow cyber criminals to force their way into a website by using generic lists of user/password combinations that might have been linked from a variety of other websites.
“Social media networks such as Facebook, Twitter and LinkedIn can also be exploited by cyber criminals to effect a cyber security breach”
For example, if an attacker has assembled a combination list of around one million credentials, he or she could easily be able to hijack around 10,000 accounts on any popular website using Sentry MBA.
Social media networks such as Facebook, Twitter and LinkedIn can also be exploited by cyber criminals to effect a cyber security breach.
Staff must be trained to treat all social media with caution, being particularly wary not to click on links embedded in tweets as these can often conceal malware designed to effect a security breach.
Cyber criminals also routinely monitor social media as a form of reconnaissance to build a profile of key staff members that can then be used to facilitate an orchestrated attack – for instance, sending fake communications appearing to come from a trusted member of staff.
A retailer’s strongest defence against these and other attacks should be Red Team Automation.
A ‘Red Team’ traditionally works in a covert manner, testing an organisation’s weakest points using the same techniques used by organised cyber criminals.
The automation of this process deploys specialist software designed for continuous testing.
Company information security officers (CISOs) can then identify weaknesses in their defences and act to fix them before they are exploited by cyber criminals.
Debenhams was also reported saying that cyber criminals had access to the systems of Ecomnova for more than six weeks.
It is possible that, during this period, there was evidence of the breach before even Debenhams was aware of it, as dark web forums frequently offer stolen customer details for sale before the retailer knows of the breach.
As major UK retailers such as Debenhams start to move more of their business onto the internet, they will increasingly attract the attention of cyber criminals from around the world.
According to industry estimates, UK shoppers will spend roughly £67bn online in 2017, of which around £27bn will be via mobile devices.