As the recent data breaches of Capital One and Sephora make clear, global enterprises make compelling targets for today's increasingly stealthy and nimble cybercriminals. Both data security incidents were discovered within the last two weeks, according to recent reports. News media outlets have been playfully attacking the companies' taglines, reframing Capital One's "what's in your wallet?" (a hacker!) and Sephora's "let's beauty together," (You first!).
Colin Bastable, CEO at Lucy Security, pointed out that data breach victims will need additional protections beyond the usual 12-month credit monitoring that compromised companies provide. "The Dark Web probably knows more about most people in North America than their governments will publicly admit to," he said. "Employers need to protect themselves by ensuring that their employees are security aware."
Access via misconfigured firewall
Capital One Financial Corp. revealed July 29, 2019, that a Seattle software engineer formerly employed with Amazon Web Services stole personal information from an estimated 100 million consumers and small business owners who had applied for Capital One credit cards. The stolen cache includes application data from as far back as 2005, according to the FBI, which is investigating the case.
Capital One said it immediately informed the FBI when it learned through a third party on July 19 that its data had appeared on the code-hosting site GitHub. The company further stated that its data was stolen via a misconfigured firewall on an Amazon Web Services cloud server used to store sensitive information.
Amazon was quick to assert that the company accepted no blame for the massive leak. "AWS was not compromised in any way and functioned as designed," the representative told Newsweek. "The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud."
Sephora customers' PII at risk
Sephora also disclosed July 29, 2019, that it had discovered a data breach potentially affecting customers in the Asia Pacific region. The global retailer, owned by LVMH Moët Hennessy Louis Vuitton, is known for its beauty, skincare and fragrance lines, and unique retail store concepts. It admitted that hackers may have stolen data, but not credit card information, from customers in Singapore, Malaysia, Indonesia, Thailand, the Philippines, Hong Kong, New Zealand and Australia.
Irregular online activities had been discovered over the past two weeks, according to Alia Gogi, Sephora's managing director, Southeast Asia. An email sent to customers and signed by Gogi, indicated the compromised data in the Sephora breach may include personally identifiable information (PII), such as customers' first and last names, date of birth, genders, passwords and product preferences. As of this time, there is no indication any of this data has been misused, the company stated. "We understand how important your personal information is and value the trust you place in us to protect it," the email stated.
"It is a great challenge for many organizations to standardize their cybersecurity operations globally," said George Wrenn, founder and CEO of CyberSaint Security, a Boston-based cybersecurity, compliance and risk management platform. "Varying regulations for both security and privacy come into play, especially when dealing with an enterprise that operates around the globe."
Capital One CEO Richard D. Fairbank apologized to everyone affected by the data theft, stating, "While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened." It is not know at this point whether the culprit, Paige Thompson, made the data available to other parties.
The Sephora brand,. Sephora IT professionals are cooperating with forensic investigators and conducting a thorough review of their networks and security systems. In addition, the company cancelled existing passwords used by online customers and is offering free data monitoring to affected customers. In addition,
Sephora representatives also pointed out that the data breach only affected ecommerce sites; customers who shopped in brick-and-mortar stores exclusively, without accessing online services or the mobile app, will not be affected.
Sephora Australia and New Zealand country general manager Beth Glancey, Sephora general manager in Australia and New Zealand, said the company has reached out to affected customers, stating, "being transparent and protecting the safety of our customers' information is our utmost priority."
Integrated risk management advised
Wrenn said that implementing integrated cybersecurity is critical for Sephora and other global enterprises, noting that spreadsheets do not get the job done. The Sephora breach and other widescale attacks are prompting many large organizations to adopt an integrated risk management (IRM) approach, he stated.
Gartner describes IRM as a "set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks."
Wrenn expanded on the IRM concept. "IRM is allowing organizations to aggregate risk and compliance data from all business units and make smarter and more informed decisions," he said. "With the patchwork of regulations that are emerging around the world, cybersecurity leaders must be prepared to integrate their organizations to stay wholly aware of the posture of their organization."
This post originally appeared on Greensheet - read the original post here.