3 Web Third-Party Security Related Events: October-December 2020
With COVID-19 still very much amongst us, online activity is continuing its global ascend. The security implications are also clear. Third-party applications running on websites are creating numerous risks and blind-spots that are becoming harder to detect. Let’s dive into the biggest developments and takeaways to wrap up 2020.
Web-Skimming Attacks Go Beyond Traditional Online Retail. Who’s Next?
With online usage expected to keep growing in 2021 just like in recently years, the threat is now expanding to other sectors. In our previous 3-Events post, we have mentioned Warner Music Group (WMG), which was subjected to a 102 day long Magecart attack, where thousands of users’ personal and financial information was stolen.
Government websites are not immune anymore. Cybersecurity researchers recently exposed the hacking of government websites in eight different U.S. cities. The culprit – Magecart. The methodology – Click2Gov, a vulnerable web-based third-party solution used by multiple government websites. While the magnitude of the exploit has not been revealed officially, it’s safe to assume that thousands of users’ personal information is now “out in the wild”. The United States educational system is also no stranger to Magecart attacks. There have also been reports of data theft from over 200 online campus stores that were selling merchandise to students in the U.S. and Canada. A skimming script on relevant payment pages was enough to get the job done.
What can we learn from this? If you thought that web-skimmers limit their attacks to the confines of the common eCommerce sector, think again. Governmental sectors, financial websites of all types, and basically all kinds of eService providers need to take these risks and blind-spots seriously in 2021 and beyond, as we are already seeing more and more of these attacks target government and education sectors.
Related: CSP: Not Exactly a Magecart Vaccine
Regulation Is Getting Tighter. What Can We Learn From This?
Lack of third-party application security not only leads to data privacy violations that need to be reported and patched up. This is followed by brand damage and hefty legal action. This often includes big fines that directly affect the bottom line, often bringing entire businesses to a halt.
Take a look at Morgan Stanley for example first, to understand the broader perspective of third-party risks. The US Office of the Comptroller of Currency (OCC) recently issued a $60 million fine on the multinational investment bank and financial services company, due to improper disposing of personal data and “inadequate assessment of third-party vendor risks”. This is just one example of companies shelling up massive amounts of money due to inadequate risk management when it comes to the usage of third-party applications and services. Are you a “west coast operator”? Take into consideration that the California Consumer Privacy Act (CCPA) has taken effect on January 1, 2020. Also, if you are doing business in European markets, you need to pay more attention to the GDPR rules and regulations.
Ticketmaster UK, another company that was compromised due a faulty third-party application implementation in 2018, was recently fined £1.25 million by the Information Commissioner’s Office (ICO). The company was found to be guilty of “failing to implement a layered security approach”.
Unfortunately, the aforementioned fines are just the tip of the iceberg when it comes to financial action after data breaches The list keeps on growing. The ICO also fined British Airways £20 million for General Data Protection Regulation (“GDPR”) violations from 2018. Yes, this was much lower than the original £183.39 million fine that was announced shortly after the breach, but this is another example of what happens due to inadequate security standards.
What can we learn from this? The financial implications of data breaches caused by third-party applications cannot be swept under the rug anymore. With the ICO and other regulatory bodies issuing huge fines for data privacy violations, what are you doing to secure your third-party application ecosystem? Regardless of the sector you belong to, you need to make sure that you are not exposed, especially when it comes to your third-party applications and services. Tight regulations and enforcement indicate that the organization is responsible when it comes to third-party applications on their websites. Now, think about your liability and and your accountability.
Related: ICO Fines Ticketmaster UK £1.25 million
Magecart Threats Keep Escalating
The holiday season is here and eCommerce is seeing its annual spike, which is being amplified by the ongoing pandemic and overall digitalization transformation trend. With hundreds of millions of people sharing their personal and financial information, the security risks are also rising.
Wired Magazine named Magecart as a major cybersecurity disrupter in its 2018 wrap up post. It was the year where Ticketmaster UK, British Airways, and Newegg were hacked. Security researchers claim that the Magecart “community” has made millions of dollars from sales in the last 3 years alone. And that’s just based on officially confirmed information and reports.
What can we learn from this? We are witnessing a well-documented and demonstrated rise in Magecart and web-skimming incidents in 2020 and this trend is not expected to lose steam in 2021. These attacks are also becoming increasingly sophisticated, as explained in our Pipka article. eCommerce website owners need to recognize the importance of third-party application security and act accordingly.