Incident Of The Week: Shopify Internal Data Breach Exemplifies Insider Threat Tr...

October 16, 2020

[Records Exposed: 200  |  Industry: E-Commerce  |  Type Of Attack: Insider] 

On Tuesday, Shopify released a statement reporting an internal security incident carried out by two rogue employees that affected less than 200 e-commerce stores.

The Facts

Founded in 2006, The Canadian based e-commerce company is the go-to vendor for e-tail commerce needs. Shopify supports over one million registered merchants in 175 countries including such big names as Tesla and Sephora. While the internal data breach compromised the personally identifiable information (PII) of about 200 users, it appears Shopify took and is taking the necessary steps to mitigate damage. Still, the breach was significant enough to drop its stock by 1.27% on the New York Stock Exchange.

The statement released by Shopify summarizes the breach as an effort by two rogue employees to steal transaction details from Shopify merchants. According to Shopify, the compromised data in this breach consists of, “…basic contact information, such as email, name, and address, as well as order details, like products and services purchased.” Payment card numbers and other sensitive information was not accessed during the breach.

Related: Building An Insider Threat Program Is Easier Than You Thought

Shopify is working closely with the FBI to further investigate the breach and the ex-employees who implemented the scheme. It is important to note that the breach did not occur as a result of a technological vulnerability.

Lessons Learned

While the investigation is still young, it follows a startling trend that has emerged within recent cyber security incidents. Tesla’s recent thwarted internal attack involved Russian operatives attempting to bribe internal employees. The headline-topping Twitter attack in July was made possible by the manipulation of internal employees using social engineering tactics.

Increasingly, cyber criminals are experts at gauging human vulnerabilities. In fact, their prowess is trending away from technological and toward psychological. Ransomware as a Service (Raas) enables less-technical cyber criminals the ability to focus on leveraging the vulnerabilities of the human psyche in order to leverage technological vulnerabilities.

Related:  10 Critical Characteristics Of Safe Vendor Partners

Some tactics are obvious, such as offering enterprise employees large amounts of cash in exchange for data or access to internal systems. Other tactics involve manipulating employees by pretending to be someone else or preying on their hectic schedules and/or carelessness. For example, these nefarious players expertly invoke strong human emotions such as fear or urgency through emails or direct communication in order to convince or cajole employees into clicking on a malicious link or reveal sensitive information.

Quick Tips

The human element of these attacks makes mitigation difficult for enterprises. Still, new security techniques are being developed and deployed to head these social engineering threats off at the pass, such as:

  1. Taking employee baseline assessments to identify risky employees and develop customized training plans that address their behavior.
  2. Moving away from long, tedious, yearly or bi-yearly security trainings and instead, implementing short, interactive training sessions that fit better into an employee’s day. This strategy has a three-pronged benefit:
  3. Information retention increases
  4. Practice makes perfect
  5. Constant training “reminds” employees that the enterprise is well versed in and on the lookout for internal compromises.

While corporations notoriously invest heavily into cyber security software—as they should—no software protects against simple human error, whether intentional or accidental. Top cyber security experts implore corporations to create or source out strong cyber security training. Even basic employee education curriculum such as mouse-over skills and understanding the anatomy of an email address or domain name has a positive impact on enterprise vulnerability.

Read More: Incident Of The Week

Read the original article and additional information at Cyber Security Hub