Company Credential

Retailers exposed when employee reuse ID

  • By Michael Marriott
  • May 01, 2017

The retail industry has taken hard hits from cyber attackers over the last several years, thanks to the highly publicized Target and Home Depot hacks along with hundreds of other incidents—there were nearly 160 retail breaches confirmed in the most recent, annual Data Breach Investigations Report from Verizon—the industry accounts for about 14 percent of all lost or stolen data records since 2013, according to an ongoing tally published by BreachLevelIndex.com. Among all sectors, that’s second only to the technology industry.

To lend further insight into the topic, Digital Shadows conducted an analysis of the top 1,000 companies on the Forbes Global 2000 list. With Digital Shadows SearchLight proprietary tool, the company was able to continuously monitor and collect corporate email/password breaches between April 2014 and June 2016 on social media, forums, “dark web” sources, criminal sites and “paste sites.”

Here are some results from businesses in the retail sector:

  • There were an estimated 157,000 unique breached email and password combinations linked to retailers. The personal and household goods subsector accounted for the most (36 percent), followed by apparel (22 percent), food (21 percent) and discount stores (10 percent).
  • Many retail employees and execs re-use their corporate emails for non-business or “unofficial business” outlets such as social media. Therefore, it should come as no surprise that social media sites represented a wealth of the breaches, including LinkedIn (with more than 72,500 occurrences) and MySpace (more than 30,740).
  • Outside of social media, we found nearly 42,000 leaks connected to Adobe and just over 3,200 to iMesh. Ashley Madison and other dating websites served as the source for more than 5,570 leaks—leaks which expose employees’ personally identifiable information (PII), partial credit card numbers and even their sexual preferences.

Why Data Breaches Matter

Our analysis probably comes as good news to cyber criminals, who are eager to leverage credential breaches to target the employees’ organizations. Here are five incidents and trends which illustrate how:

Account takeover. The alleged re-use of passwords stolen during a LinkedIn breach led to a Dropbox attack. Workers neglect to change passwords for years, using them for multiple services, making it too easy for hackers to take advantage.

Spear-phishing. In June 2016, Germany’s Computer Emergency Response Team for federal agencies (known as CERT-Bund) reportedly detected spear phishing emails sent to executives. Threat actors crafted personalized emails using the target’s first name, last name, job role and company name to send malicious, macro-enabled Microsoft Word documents.

Credential-stuffing. This occurs when adversaries automatically inject breached user name and password pairs in order to fraudulently gain access to accounts. The adversaries then hijack the account for a variety of purposes, such as spamming in-boxes, stealing funds and accessing PII.

Post-breach extortion. Hackers collected more than 200,000 corporate email addresses during the 2015 Ashley Madison attack. The cyber criminals then tried to extort victims, threatening to reveal the information to victims’ partners if they didn’t send payments via Bitcoin.

Spam emails. These credentials are valuable for spam campaigns, easily swiping email addresses.

Companies Need a Plan

Enterprises must protect themselves from compromises linked to breached email accounts and passwords. Here are best practices to consider:

  • Develop clearly stated policies to determine which kinds of external services are allowable for corporate email accounts.
  • Deploy an enterprise password management solution for secure storage/sharing and password creation/diversity.
  • Proactively monitor for “credential dumps” relevant to your accounts.
  • Establish multi-factor authentication for external corporate services.
  • Evaluate and document any internal services that aren’t federated for faster and more complete incident response.
  • Implement an emergency password reset process to include all user accounts.
  • Through user behavior analytics tools, import compromised identity information while detecting suspicious activity.
  • Train your employees – and then train them some more.

By fully identifying and mitigating the practices which leave businesses vulnerable—and then investing in employee awareness training—you’ll greatly reduce risk while cultivating a more educated workforce. That’s a win-win proposition in the age of cyber exposure.

This article originally appeared in the May 2017 issue of Security Today.

Featured

  • Video Surveillance Trends to Watch

    With more organizations adding newer capabilities to their surveillance systems, it’s always important to remember the “basics” of system configuration and deployment, as well as the topline benefits of continually emerging technologies like AI and the cloud. Read Now

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services

  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

Most   Popular

New Products

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.