News has just surfaced that Cash Converters has been hit by a data breach. The company reported that it had:
“Received an email threat from a third party claiming to have gained unauthorised access to customer data within a Cash Converters’ United Kingdom website (‘Webshop’). The unidentified third party’s threat included the widespread release of the data unless it receives a financial payment.”
Cash Converters has reported the threat to the authorities in the UK and Australia, and has appointed security advisors to review its systems. Credit card data was not stored on the Webshop although hackers may have accessed user records including personal details, passwords, and purchase history. IT security experts commented below.
Javvad Malik, Security Advocate at AlienVault:
“The attack highlights the importance of having threat detection capabilities that can alert to breaches in a reliable and timely manner. There isn’t much information available at the moment, but this is a rather different threat that rather than relying on ransomware; the attacker claims to have the data. The problem with this scenario is that without having reliable logs, the victim doesn’t know if the criminals actually have the data they are claiming to possess – or indeed if they will stick to their word and not release it in the event of receiving payment.”
Andre Stewart, VP EMEA at Netskope:
“While many Cash Converters customers may be wondering if their username and password is among the stash of stolen data, the fact is that the stolen credentials shouldn’t give any cause for concern – if basic cyber hygiene procedures were followed. But what are the chances that those passwords have been used for multiple accounts and remain the same? The truth is that we make it too easy for cyber attackers to tap into our online accounts and data by leaving our log-in credentials unchanged for years at a time, using the same details across accounts or choosing insecure passwords which are far too obvious.
“Wherever possible, organisations must make end users aware of basic cyber hygiene, steering them towards safe courses of action – including regular password updates. After all, each new hack can release a treasure trove of user details in the form of usernames, passwords and other information which can then be used to access other online services. When the same credentials are used across multiple accounts, these breaches can expose data in many different cloud apps and services at the same time. This creates a significant risk to the enterprise because passwords used in simple personal applications are all too often used for data critical applications at work.
“Businesses should also monitor credentials revealed in breaches and compare them to those used to access their services – across both the cloud and on premise. As critical data continues to spread beyond the traditional perimeter network, this vigilance will become increasingly important. If credentials are found to have been compromised in another breach, companies can prompt customers to change their details to ensure systems remain secure. Organisations should also monitor for unusual behaviour or usage patterns so that security teams can block intruders and protect sensitive data.”
Matt Lock, Director of Sales Engineers at Varonis:
“Financial organisations, like other critical sectors including healthcare, are prime targets for criminals because these institutions can’t operate without access to their files and customer records. Ransomware grinds daily activities to a standstill, and that happened earlier this year with the NHS. It’s often easier for organisations to simply pay the ransom in order to get back to business as usual, which further increases their likelihood of becoming a target.
When the EU General Data Protection Regulation (GDPR) kicks in next May, companies that handle information belonging to EU residents will have to adhere to a strict new set of guidelines. This case is a prime example of how organisations must adopt GDPR guidelines now and maintain best practices to secure their systems and lock down sensitive customer data.
With only months left remaining until GDPR kicks in, organisations are running out of time to take stock of how exposed their data is to attack. Had this attack occurred after GDPR kick in, Cash Converters would be facing stiff penalties. Ransomware and situations like this are the canary in the coal mine for organisations to reduce their risk profile by removing users that no longer need access and maintain a least privilege model to keep their data secure.”
Matthias Maier, Security Evangelist at Splunk:
“While not a great deal of information is currently available on what type of breach this was, it’s clear that those individuals involved are now at a high level of risk. Personal details from users of the old website are at risk of being used in creative ways by the hackers to access other online accounts, adopt new identities for social platforms or targeted phishing attacks.
Cash Converters must have the right response capabilities and processes in place to stifle the impact of malicious and highly destructive assaults. Working together with the authorities to investigate and analyse the digital fingerprints in logs the hacker may have left behind is now the right thing to do. This should help to identify and communicate to individuals the risks that they are exposed to, and also help Cash Converters to recover as a company from the security breach and monetary demands.”
Cash converters may have learned from the failings of those hacked before them when it comes to reassuring customers in the wake of a data breach, but it seems the important lessons concerning cyber security are yet to be learned.
It is yet again an avoidable vulnerability, as a result of sprawling IT systems, that has caused the data of consumers to find its way into the hands of hackers. It is up to businesses to change the mindset when it comes to cyber security and to implement coherent and comprehensive strategies that leave no data unprotected. The key to achieving this is giving CISOs the control they need, over budget and IT initiatives, to enable a Zero Trust security posture based upon user and application – rather than network – security. CISOs know watertight defences are virtually impossible, and can therefore define a security program that includes breach containment, using technology such as cryptography as the fabric to effectively segment the network to ensure we see the scale and scope of high profile hacks severely diminish.
Carl Leonard, Principal Security Analyst at Forcepoint:
“The unfortunate Cash Converters data breach is just another embodiment of the threat environment that businesses are facing every day. From Whole Foods to Forever 21 and Debenhams in the last 12 months, this is the new normal and no one is immune.
“While the breach is only affecting customers on the company’s old website, there has never been more pressure on enterprises, regardless of sector, to preserve privacy while leveraging data for legitimate business purposes. The more sensitive the data, the greater the liabilities caused by a breach.
“Fundamentally, focusing too narrowly on a single scenario can prevent companies from seeing the full spectrum of risk they face, with dire consequences. Companies need to adapt and update legacy defenses with modern, human-centric approaches that look at how and why data is accessed and by whom; this intersection of users, data and systems can become the critical point for effective security and compliance. In doing so, businesses can protect their customers and, crucially, their reputation against the ever increasingly threat of cybercrime.”