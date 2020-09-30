The Kylie’s Cosmetics has issued a statement to customers in relation to a security incident involving its eCommerce platform, Shopify.
Francis Gaffney, Director of Threat Intelligence, Mimecast
September 30, 2020
This breach appears to be the result of a possible malicious insider threat, with rogue/naïve employees allegedly stealing data from within. This kind of breach is actually more common than one might expect. Organisations, understandably, invest a lot of resources to stop hackers from outside their organisation from breaching security defences, but most have little protection against an insider t ....This breach appears to be the result of a possible malicious insider threat, with rogue/naïve employees allegedly stealing data from within. This kind of breach is actually more common than one might expect. Organisations, understandably, invest a lot of resources to stop hackers from outside their organisation from breaching security defences, but most have little protection against an insider threat such as this one. It is likely that the target was identified as a result of social engineering, which are usually quite sophisticated attacks, and can involve substantial research on their intended target to craft specific bespoke lures, such as websites and tailored emails - referred to as pattern-of-life-analysis. The threat actor studies the target’s online presence, including their use of social media, to identify social and family networks, favourite restaurants, hobbies, sporting or musical interests, to better understand how the targets can be coerced into leaking data. An potential mitigation to this type of attack is to limit unnecessary access to sensitive data – access should only be via a need-to-know-basis – but if the attacker has conducted their research competently, they will have identified a target with the necessary access. Human error is required for these attacks to be successful, which highlights the importance of regular cyber training to increase employee awareness about such methodologies used by threat actors. Our State of Email Security report found 56% of organisations do not provide awareness training on a frequent basis, leaving businesses increasingly vulnerable. At the same time, appropriately managed access controls for administrative or supervisory accounts can assist in preventing the escalation of privileges, or abuse of permissions, that this particular attack relied upon. These need to change to prevent further successful attacks such as this one, that can have reputational damage for any company.
