We are less than a week into the New Year and there is already news related to data breaches, malware and encryption.
American fashion retailer Forever 21 suffered a data breach last year after a point-of-sale malware infection compromised payment card data which was collected at certain Forever 21 stores. After an investigation was carried out it was found that the attack was made worse due to a lack of encryption on some devices. This allowed hackers to access data from customers would made purchases using payment cards between April and November 2017.
The incident report revealed that a number of POS devices did not always have the encryption technology turned on during the period of the attack. This left data that was being stored and recorded on devices for payment transactions authorizations, was unprotected. Hackers were then successful in gaining access to Forever 21’s network thus allowing them to infect the devices with malware capable of reading the track data from payment cards. From this point, the criminals had access to sensitive data such as card numbers, expiration dates, internal verification codes and on occasion, cardholder’s names.
Had the retailer been proactive in checking that encryption was activated across all its POS systems then this breach would have been averted. The impending GDPR will remind organizations that sensitive data must be protected at every stage of its use: at rest, in use and in transit. Many third-party encryption solutions offered today merely protect the data at the point it is stored, and not at every stage: at rest, in use and in transit. Remember, not all encryption methods are created equal and under GDPR this will fail to meet its standards.