The Retail Industry’s Third-Party Data Breach Problem

According to Trustwave’s 2018 Global Security Report, the retail industry suffered more data breach incidents in 2017 than any other sector as attackers become more organized and targeted with their efforts.

Retailers have increased their security spending to combat cybercrime, but some of the world’s top brands have still suffered data breaches because they are not addressing an important monitoring and security threat: third-party services.
Third-Party Services: Helpful or Destructive?
In today’s competitive digital environment, online businesses rely on armies of third-party services to boost engagement and optimize the customer experience on their websites. From live chats and custom fonts, all the way to product reviews and gifting apps, these add-ons have provided tremendous value to retailers. These same engagement boosters, however, can do more harm than good if hackers can exploit partners’ poor security standards or vulnerabilities within their solutions.
In 2018 alone, the Magecart hacking group stole hundreds of thousands of private customer records by exploiting vulnerabilities in third-party scripts.
To provide a couple of examples, the group’s Ticketmaster heist from June was caused by a loophole in a third-party chat bot app, and the British Airways breach was possible by injecting malicious code into the airline’s payment page through a tweaked Modernizr JavaScript library.
While brands should be sure to have the right technologies in place to prevent against things like fraud, data loss and other breaches that they can control, they also need to make sure that they are properly securing and accounting for the third-party applications their websites rely on as well.

There are some fundamentals security experts can utilize to protect themselves from third-party risks. 
Pre-Integration Auditing
A great place to start in building up a secure third-party service ecosystem is by auditing and scrutinizing all third-party applications, as well as any additional services they rely on, before they are officially implemented. Beyond ensuring that the roll out goes smooth in terms of performance and overall business value, a rigorous assessment procedure allows brands to gain the visibility needed to fully understand the different entry points attackers could attempt to penetrate.
Plus, thorough auditing can help them answer important questions related to faulty lines of code and potential loopholes hackers could try to slip through. Brands must fully understand the ins and outs of the services they deploy. At the time of implementation, a new customer service chat bot may seem like an easy engagement booster and valuable tool but, if the code backing it is faulty, the solution or service might as well have a bullseye on it for hackers.
You Can’t Prevent What You Can’t See
Many third-party services depend on additional tools to manage properly which then add to a retailer’s total attack surface. A pivotal step in preventing data breaches is to gain complete visibility into all of the entities being targeted by online criminals.
For retailers, this now includes having a detailed snapshot or a list of all the third-party services operating within their IT ecosystems. This simple punch list improves overall performance and helps security staff ensure that proper patching is completed and malicious code modifications can be detected and eliminated as quickly as possible. Speed is necessary, and it’s difficult to react quickly to outside attacks without the ability to spot abnormal activity.
Taking Back Control
Online businesses are at a crucial point in retail history, having access to the tools and applications needed to boost the online customer experience and drive true engagement with users. When a major data breach occurs, customers don’t care that it wasn’t the retailers’ systems that were compromised. They will ultimately blame the brand.

This is why it is extremely important that brands understand the risks involved in implementing third-party services and ensure they have the ability to properly monitor customer data and detect anomalies to make sure they are protected even if a partner is compromised. 

What’s Hot on Infosecurity Magazine?