Black Friday data breach raises concern
Almost every week we hear of a new cyber attack affecting yet another household brand. This week Amazon was hit with what they called a ‘technical error’ days before the much-anticipated Black Friday Sale. The incident meant names and email addresses of a number of users were revealed just hours before one of the biggest online sales events of the year.
Amazon didn’t specify the number of users affected or where their users are based. Their initial advice to affected users has been to do nothing – and while this is probably because no passwords are known to have been revealed during this breach, we would advise that users take the precautionary step of changing their passwords.
What could hackers do with only a name and an email address?
Well, quite a lot actually. Large databases of historic data dumps are easily accessible to all and easier still for a novice hacker to get their hands on. Finding the most likely password combinations can be automated effortlessly using a few easy to access tools, all readily available on the dark web. This is particularly effective if the same credentials are in use to access other accounts that were previously breached. Just like that access to users’ accounts can be revealed along with all billing, shipping and payment details.
The email communication from Amazon to affected users has been widely criticised online for being too short, vague and failing to reassure many users. Questions that remain are; the number of affected users, which Amazon sites were impacted during the breach, who had access to the data revealed and how long had the data been exposed before the vulnerability was patched.
It is not known if Amazon have started notifying any regulatory bodies or whether any of the data revealed is known to affect EU residents. However, if it is found that Amazon had not taken reasonable steps to protect the privacy of users, there could be significant penalties awaiting the conglomerate.
Companies of varying sizes and across all industries continue to be victims of cyber attacks and data leaks on a daily basis. And much like traditional terror incidents, the public have accepted that data breaches are more a matter of ‘when’ rather than ‘if’. All the while, the public continue to remain sensitive to the integrity of their personal data online.
While the public accept that their data is at risk, when assigning blame following a breach, their opinion has typically centred on the company’s response. At times companies have been found responsible for not taking appropriate preventative steps, while on other occasions they have been viewed as victims of an extremely sophisticated and targeted attack.
Ultimately, it is less about assigning blame and more about ensuring the right prevention solutions are deployed, incident response workflows and plans are in place, and that crisis management plans and crisis communications plans are documented for use in extremis.
It is crucial for companies to ensure that their crisis communications plan allows for the right messaging to be communicated to all relevant stakeholders at the appropriate time.
Additionally, data audits need to be carried out to ensure storage of all personal data is mapped out, saving companies critical time during the tight 72-hour deadline stipulated in the GDPR regulation. Having a clear understanding of the network architecture and mapping out where data is stored and how the system may interact with varying systems used is crucial in allowing companies to quickly identify and notify as necessary.
How can NYA help?
Our Cyber Risk Management services help you establish controls and processes around your systems that protect your information assets, monitor and understand threats as they evolve, and build and test your resilience to incidents. This is enhanced through risk treatment options such as simulated incident exercises designed to train and test your incident response and crisis management capability.
*** This is a Security Bloggers Network syndicated blog from NYA authored by Alison Burrell. Read the original post at: https://nyarisk.com/2018/11/23/black-friday-data-breach-raises-concern/