All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.
In the Meadow, we have plenty of reasons to celebrate. There are birthdays, anniversaries, new careers, and sometimes just because it is Tuesday. When we have these occasions, generally flowers are ordered. Locally, we can call Margie’s Florist and she has the assistant deliver these. One service with our neighbors to the north is Canada’s 1-800-FLOWERS. They, however, seem to have an issue which has become known recently.
Issue
The Canadian branch of 1-800-FLOWERS is a service, which as the name implies, allows the consumer to order flowers to be delivered. There was, unfortunately, malware on their web app, which was finally detected malware on its website. The malware allowed unauthorized access to the customer’s credit card details. These issues, as we know, occur sporadically throughout the different industries. What makes this an anomaly is the malware was present for four years, unknown. This period is estimated at August 15, 2014, to September 15, 2018. During this time, the clients using the service potentially had their credit card information exfiltrated.
Data
The data available for the attackers to peruse through included the client’s first name, last name, credit card payment data, expiration date, and the card’s security code. During this time, the client’s card could have been used fraudulently by unauthorized persons to fraudulently purchase products. On a side note, due to the number affected parties being 500 as it relates to California residents, the business had to notify the affected persons, naturally, and also the California attorney general.
Odd
This exploited vulnerability was present and active for four years, undetected. The InfoSec team did not notice the data being exfiltrated for the four years, day after day, week after week. The SIEM appears also to not have detected this during the subject time period. Some persons would believe this is acceptable and not their fault due to the complexity of the system. The excuse of “We don’t have the staffing or organizational structure” is not valid. There are tools to automate certain processes and if this were to be the case, the issue needs to be brought to the C-Level and Board of Director’s attention.
The shocking point, however, is if these reasons were in effect, the problem is systemic. The management and Board of Directors did not, in this case possibly, act in a prudent manner. Some may even say this was negligent.
Malware
We should learn from our and other’s mistakes; this is how the industry gets better. In this case, however, it has not been published how this malware was planted. This has and will for years to come to cause issues for the clients until their credit cards are replaced or cycled through the usual process of replacement.
Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.
Resources
Avast Security News Team. (2018, December 4). More data breaches; This time at quora and 1-800-FLOWERS. Retrieved from https://blog.avast.com/1-800-flowers-and-quora-report-data-breaches
Shekar, S. (2018, December 4). Canada’s 1-800-FLOWERS finds credit card stealing malware after 4 years. Retrieved from https://mobilesyrup.com/2018/12/04/canada-1-800-flowers-finds-credit-card-stealing-4-years/
Whittaker, Z. (2018, December 3). Credit card stealing malware on canada’s 1-800-FLOWERS website went undetected for four years. Retrieved from https://techcrunch.com/2018/12/03/credit-card-stealing-malware-flowers-four-years/
No comments:
Post a Comment