As coverage of the alleged Home Depot credit card breach and its potential consequences dominate the headlines, a smaller, less-publicized breach involving Goodwill Industries Inc. highlights the importance of service provider due diligence.
Goodwill confirmed Tuesday that customer credit and debit card data was stolen at 330 stores across 19 states between February 2013 and August 2014. Some media outlets are reporting the number of breached cards could reach 868,000.
In July, a payment card industry fraud investigative unit and federal authorities informed the company that its customers may be victims of a breach. Goodwill President and CEO Jim Gibbons stated that the company "took immediate steps to address this issue" and hired a third-party forensic investigator.
In its statement, Goodwill said its investigator concluded that malware on systems belonging to an as-yet-unnamed third-party provider was to blame for the breach. According to the organization's Director of Public Relations Lauren Lawson, Goodwill does not have a centralized payment card-processing system and instead relies on third-party service providers. The company also noted none of its internal systems were compromised, and that in the course of the month-and-a-half-long investigation it received a "very limited number of reports" of fraudulent use of stolen card data.
The Goodwill security breach underscores that partner and third-party service provider due diligence -- or taking steps to ensure that standards are met, especially in a PCI-bound environment -- is crucial to protecting payment card data.
The PCI Security Standards Council hammed home that point this summer with the release of a new guidance document on how to maintain third-party service provider compliance to help organizations ensure their third-party provider and partners meet PCI DSS requirements.
The document, according to PCI SSC Chief Technology Officer Troy Leach, provides information on addressing and overcoming various service provider tasks and challenges, including "how to determine scope, ensuring due diligence in the relationship, how [to] you establish a good relationship with service providers, and simply what a policy should include, and what types of questions you should ask."
It's no surprise that the guidance highlights the importance of gaining transparency into service providers' operations -- specifically security and compliance due diligence efforts. Specific to malware prevention, the guidance urges merchants to prod providers on their detection, containment and eradication controls, and to ensure those controls are in place on any system that handles customers' cardholder data.
As a result of the Goodwill security breach, the company is learning the hard way how dangerous it is to neglect third-party service provider due diligence, but the silver lining is that other organizations can learn from it.
In other news
- As part of its 2014 IT Security Risks survey, security vendor Kaspersky Lab found that only 50% of employees told their company about a stolen device on the day of the incident. More than a third of employees waited up to two days to notify employers of stolen mobile devices, and 9% took three to five days. This delay, Kaspersky said, can hinder an organization's ability to thwart the issues inherent to stolen devices through measures such as remote wiping. The report also revealed that the number of companies experiencing mobile device theft grew to 25%, up from 14% in 2011.
- The CERT Coordination Center (CERT/CC) at Carnegie Mellon University's Software Engineering Institute published a list of popular Android apps that do not validate SSL certificates properly, leaving users vulnerable to man-in-the-middle (MitM) attacks. Using a MitM testing tool called CERT Tapioca, researchers scanned Android apps for SSL vulnerabilities. While CERT generally gives vendors a 45-day disclosure window, it said that attackers are likely already performing MitM attacks on vulnerable apps, so time is of the essence. In its blog, CERT wrote that users had the right to know if they were using vulnerable apps so they could uninstall them, and that "the disclosure of affected applications benefits the defenders and not the attackers."
- In a report released Tuesday, Israeli security firm Cyberintel Ltd. revealed how a 12-year-old espionage network dubbed the "Harkonnen Operation" penetrated hundreds of companies, institutions and facilities in Germany, Austria and Switzerland. Since 2002, the colossal cybercrime network used spear-phishing attacks to infiltrate victim systems and Trojans to relay sensitive data back to its network. According to Cyberintel CEO Kobi Ben-Naim, the group invested about $150,000 in legitimate domains and SSL certificates in the UK to camouflage its malicious activity. As a result, few companies investigated the legitimate domains, allowing the organization to persevere for such an extreme length of time. In addition to the report, Cyberintel released a list of the hazardous domains and IP addresses.