3 Web Third-Party Security Related Events: January 2021
2020 concluded with a flurry of cybersecurity incidents and developments that are making companies rethink their third-party application security strategy. The legal consequences of regulatory hiccups, financial implications of data breaches, and the poor state of third-party application security in general – all this and more in our January 2021 edition.
Poor Third-Party Compliance Standards Can Cost Billions
British Airways (BA), which has one of the world’s biggest passenger and cargo aircraft fleets, fell prey to a massive data breach in 2018. This took place via a third-party application vulnerability, which was escalated to steal over 400,000 customers’ private records. Besides the brand damage and operational problems, BA was initially issued a fine of $230 million (£183M) in 2019.
As things progressed and legal processes took effect, the Information Commissioner’s Office (ICO) reduced the fine to “only” $27 million (£20M) in 2020.
However, compliance violations often tend to have lingering legal and financial implications. British Airways started 2021 on a sour note. Besides the ICO fine, it has been in a legal tussle with a consumer action law firm Your Lawyers, which is representing the victims of the 2018 GDPR breach. British Airways is now also staring at a settlement of around £3 billion. The legal battle ensues.
The same is happening across the pond. A Salesforce vulnerability was exploited to hack into a leading online clothing retailer. This led to a massive data breach that resulted in over 10,000 stolen records with sensitive information and their sale over the dark web. This web-skimming incident cost the retailer over $400000 in a monetary lawsuit settlement.
These regulations are not limited just to California. Multiple US states are introducing different versions of these guidelines. Neighboring Canada also recently passed it’s very own Digital Charter Implementation Act. Besides the obvious consent and transparency requirements, retailers and online businesses are now required to demonstrate security privacy management.
What can we learn from this? Compliance is no longer an option. You have to establish a strong and transparent ecosystem for your third-parties to pass your CCPA and GDPR audits with minimal hiccups. A strong compliance posture is key to ensuring business continuity today.
Most Leading eCommerce Platforms are Still Vulnerable
The eCommerce space is powered by hosted platforms such as Zencart, Woocommerce, BigCommerce, and Shopify. Thousands of retailers and vendors, regardless of the sector they belong to, are setting up their online businesses by using these user-friendly and effective platforms. But the bad news is that even these have been found to be vulnerable to web-skimming attacks.
A Dutch research team exposed a malicious Magecart script that can manipulate commonly-used platforms such as Shopify and BigCommerce. This malware mimicked a false payment page to make customers fill in their personal and financial details. The users were then led to an “error page” to make things look “natural”, after which they were redirected to the original checkout page.
How was this made possible? The security researchers apparently located a vulnerable third-party that all of these leading eCommerce platforms were using. These platforms are now aware of these vulnerabilities, but they have yet to comment or respond to these findings. What does this mean? eCommerce websites are not bulletproof by any stretch of the imagination.
The aforementioned research also exposed that the social media sharing buttons being used on these well-reputed eCommerce websites are also possible attack vectors. They allowed the research team to inject credit card skimming code using the buttons. Once a user clicked on one of these buttons, the malicious payload was executed. Malware is not exclusive to payment pages.
With typical eCommerce websites today using over 50 third-parties (with hundreds of dependencies), you need to have a third-party application security management solution in place. Web-skimming and Magecart attacks can go undetected for weeks or even months due to the inability of traditional security tools (i.e., – CSP) to cope with the dynamic nature of these third-parties.
What can we learn from this? Using a popular and established eCommerce platform doesn’t make you immune to web-skimming and Magecart attacks. It’s highly recommended to take third-party application security seriously to steer clear of data breaches and brand damage.
Related: CSP: Not Exactly a Magecart Vaccine
Finance and Banking Sectors: Watch Your Compliance Posture
The GDPR took effect in Europe a few years ago and is now actually changing the way the online businesses and entities handle their online security.
CCPA enforcement was probably the biggest US data privacy regulatory development of 2020. But the compliance landscape is always evolving. Enter NYDFS Cybersecurity Regulation, also known as 23 NYCRR 500. This cybersecurity protocol applies to banks, private bankers, licensed lenders, mortgage companies, and insurance firms operating in the state of New York.
All of the aforementioned businesses need to demonstrate sound cybersecurity standards, capacity planning, and implement solid network security. But that’s not all. 23 NYCRR 500 also requires all financial and banking websites to have a third-party risk-assessment framework in place. This will also involve a periodic third-party policy and control assessment. Are you prepared for it?
The New York Department of Financial Services (NYDFS) is already taking a tough stance against companies that are not meeting the requirements. First American Title Insurance Company, a leading insurance provider in the USA, failed to fix a vulnerability that led to massive data leakages for years. The firm is now looking at a fine that can reach up to $1000 per violation (user).
Third-party application risk management is becoming a key part of online finance and banking. With more and more third-parties being used for sales, marketing, analytics, and development processes, only a comprehensive security and governance solution can help with behavioral analysis and risk assessment for optimized efficiency and regulatory compliance.
What can we learn from this? The ongoing digitalization of the finance and banking sectors requires the elevation of third-party application security standards. With more and more regulations requiring a layered security approach, you need to improve your third-party app management now.
Suggested reading – The New-York State Department of Financial Services (DFS): Cybersecurity Resource Center