Comment: Lessons to learn from the cyber-attack on Lakeland

No comments

The Lakeland breach is the latest high profile account data compromise event to make the headlines.

Lakeland should be commended for taking the decision to ‘go public’ with the information as people will appreciate its honesty.

There are basic security protocols and standards retailers should adhere to – for credit card data it is the Payment Card Industry Data Security Standard (PCI DSS).

If a merchant fully meets the PCI DSS standards then a data breach is highly unlikely to occur. Lakeland has stated “we have no evidence that any card data has been compromised”.

This probably means the forensic investigation being carried out by a security specialist is ongoing and the final picture of what data has, and has not been accessed is not clear yet.

It is promising that Lakeland encrypted the databases which were accessed. Hopefully this means none of the data accessed was readable, and if Lakeland has suitable encryption key management in place then all the more likely the accessed data is of no value.

We have also seen a very sophisticated Java related attack recently. In our example, a malicious web shell was uploaded to the web server. This enabled the creation of a Java Script file that was custom-coded to steal the card data within the form and post the results to a Google Analytics account accessible by the hackers.

The Java script was a very clever piece of code which masked the extraction of cardholder data as genuine Google analytics data. My recommendation would be to ensure Java is on your list of critical updates.

We have seen the trends in data breaches change over the last 18 months, with a significant shift over to third parties – organisations that handle customer data on behalf of retailers, such as webhosts or shopping carts.

The drive behind this is probably because these organisations hold large amounts of data in comparison to their size, and because they are not large companies do not have the same resources to throw at security.

In addition, third parties quite often maintain the belief they are unlikely to be attacked, or that security protocols do not apply to them in the same way they would to a merchant.

Fuelling this increase in data breaches is the commoditisation of exploit kits which are sold as service to would-be hackers. This is a frightening development which means virtually anyone can become a hacker.

Just as you would get with something like a mobile phone, there are various packages and payment options you can select from. The Blackhole exploit kit is reported to be behind 70% of recent data breaches.

Even though these exploit kits are making hacking easier, the good news is the kits are utilising vulnerabilities we mostly know about already and there are plenty of standards out there to aid you.

As I say, where card data is concerned you must adhere to the PCI DSS standards; the best way to not lose data is to not store it in the first place, for example outsourcing your payments to a PCI DSS compliant payment service provider.