Categories: NewsTop Stories

Major e-commerce data breaches: What we can learn from them

data breaches

Over the last few years, there has been a slew of data breaches in the e-commerce industry. These breaches not only enhance the reputational, financial and operational risks, but haunt the e-commerce businesses forever as a single data breach on an average costs a company $3.86 million and takes 280 days to contain. 

E-commerce data breaches can wreak havoc on your retail business, and not just until the mess is cleaned up. They can have long-term impact on customer trust and brand reputation. But the good news is that there are a lot of precautions you can take to protect your business and your customers. And to help with this effort, we’ve compiled a list of the major data breaches along with the lessons they taught us.

1. Shopify Data Breach

Date of Breach: September 2020

Impact of Breach: More than 200 stores and 5000 customers

How did the Breach Occur?

On September 22, 2020, e-commerce platform Shopify disclosed a security incident on their blog. Shopify reported that two “rogue” support team employees illegitimately accessed and stole customer transactional records of certain merchants, including Thrive Causemetics and Kylie Cosmetics. 

Apparently, the two employees accessed shopper data using Shopify’s Orders API, which lets merchants process orders on behalf of their customers. Shopify did not say how many end customers were affected by the theft of data from merchants, but the emails sent to merchants reportedly contained the specific number of customer records stolen in the breach.

What Kind of Data was Stolen?

Compromised customer information included:

  • First and last names
  • Addresses
  • Emails
  • Product order information
  • BIN numbers
  • Payment card information (limited)

What can we Learn from this Breach?

Shopify data breach uncovers the following lessons for us: 

1. Beware of Phishing: Even without full financial information of customers and employees, hackers could potentially use such data to launch targeted phishing attacks. In general, phishing attacks account for 20% of all the security breaches. Surprisingly, Shopify did not offer any identity monitoring service to affected individuals after the attack.

2. Insider Threat is Real: While a good deal of insider threats are caused by simple human mistakes, malicious insiders, like the employees here, can jeopardize sensitive data if there isn’t a solution in place to prevent misuse.

2. eBay Data Breach

Date of Breach: May, 2014

Impact of Breach: 145 Million customers

How did the Breach Occur?

The global e-commerce market was shocked as the then retail giant eBay informed that hackers had raided its network, accessing some 145 million user records in what was poised to go down as one of the biggest data breaches in history, based on the number of accounts compromised.

What Kind of Data was Stolen?

The hackers gained access to information including eBay customers’ names, their encrypted passwords, email, registered addresses, phone numbers and date of birth. 

What can we Learn from this Breach?

The following are some of the things we’ve learned as a result of this data breach: 

1. Hold minimum information possible: Organisations should keep the minimum information necessary. If eBay wouldn’t have stored unnecessary information like dates of birth and addresses, the risk of identity theft after the attack would have reduced massively.

2. Prepare for attacks: In these high-risk times, companies are advised to carry out frequent cyber crisis simulation exercises to prepare their response to a cyberattack.  

3. Barnes and Noble

Date of Breach: October 2020

Impact of Breach: Thousands of Customers and Publishers

How did the Breach Occur?

A suspected ransomware attack on Barnes & Noble denied readers access to their libraries and leaked their personal information. The major bookseller sent an email notifying customers of the cyber attack that exposed their personal information, including transaction history and email addresses.

Many customers were locked out of their accounts while point of sale systems became inoperable during the October, 2020 cyber attack. Barnes & Noble disclosed that it stored personal information on the affected systems and that hackers might have accessed it.

However, the bookseller clarified that the data breach did not expose customers’ financial information, including payment card information. Barnes & Noble stocks over 1 million titles and operates the NOOK service ebook reader and storage platform.

What Kind of Data was Stolen?

Full names, dates of birth, email addresses, physical addresses and mailing addresses; Social Security numbers were also accessed by the hackers in the attack. 

What can we Learn from this Breach?

The following are some of the things we’ve learned as a result of the Barnes and Noble data breach: 

1. Implement Zero Trust Policy: CISOs and CIOs should think about creating a zero-trust cybersecurity strategy. Only authenticated and authorized users and devices are allowed access to apps and data in this security paradigm. It calls into question the notion of “default access”. Barnes & Noble data breach was a reminder that organizations should keep their security safeguards up to prevent threat actors from exploiting known vulnerabilities. 

2. Conduct regular vulnerability assessments: Speculations suggest that Barnes & Noble’s data breach involved a ransomware payload. The bookseller was alleged to have been running Pulse Secure VPN servers with an unpatched vulnerability CVE-2019-11510, which allows hackers to steal usernames and passwords to infiltrate corporate systems, install ransomware, and exfiltrate data.

4. Drizly Data Breach

Date of Breach: July, 2020

Impact of Breach: 2.5 million user accounts

How did the Breach Occur?

Drizly, a prominent online alcohol delivery startup, suffered from an external cyber-attack leading to a data breach. According to a company email to customers, an unidentified hacker took customer email addresses, dates-of-birth, passwords, and delivery addresses in some cases. As many as 2.5 million customers may have been affected, and data exposed included phone numbers and IP addresses.

What Kind of Data was Stolen?

The stolen data included email addresses, dates of birth, hashed passwords and in some instances delivery addresses. Drizly noted that no financial information was compromised, but the dark web listing for Drizly’s stolen customer data claimed to include valid credit card numbers. Private investigations discovered that customers’ phone numbers, IP addresses, and geolocation data were also compromised.

What can we Learn from this Breach?

The following are some of the things we’ve learned as a result of this data breach: 

1. Act Fast: The reported Drizly data breach was interesting for what it shows about attacker dwell time—the time between an initial breach and the victim noticing it. The stolen data was available on the dark web since mid-February 2020, but the breach was only identified by Drizly on July 13th, 2020, and reported to customers on July 28th, 2020. 

2. Update authentication measures: Drizly’s recommendation for customers to change passwords was not enough to keep user data protected. Online retailers (and any organization with a digital presence) have a responsibility to keep accounts protected to maintain customer trust. Biometric authentication (leveraging unique human traits to confirm identity) is far more secure and ensures only the legitimate user can access their account.

5. Alibaba

Date of Breach: June, 2021

Impact of Breach: 1.1 billion customer records

How did the Breach Occur?

According to a Chinese court ruling, the Chinese e-commerce giant Alibaba’s Taobao retail site experienced a data leak that exposed over 1.1 billion pieces of customer information. 

A developer working for an affiliate marketer stole consumer data, including usernames and cellphone numbers, from the Alibaba Chinese retail website, Taobao, during an eight-month period using crawler software he built. Although both were sentenced to three years in jail, it appears that the developer and his company were gathering the information for their personal purposes and did not sell it on the black market.

What Kind of Data was Stolen?

It was reported the malicious developer began using the web crawling software in November 2019, gathering information including user IDs, mobile phone numbers, and customer comments.

Mobile phone numbers are sensitive because the Chinese government requires handset owners to register SIM cards with their official details. 

What can we Learn from this Breach?

Organizations must establish a “genuine security culture” that places a high value on user data protection. This comprises important components like security education, safe software development lifecycles, system and application hardening, frequent penetration testing to detect possible vulnerabilities, and lastly, continuous monitoring for suspicious behavior in conjunction with proactive threat hunting.

6. Quidd

Date of Breach: April, 2020

Impact of Breach: 4 million customers

How did the Breach Occur?

Quidd, an online marketplace for trading stickers, cards, toys, and other collectibles, suffered a data breach in 2019 which was later discovered in April 2020, where the details of around 4 million of its users were being shared for free on underground hacking forums.

It was later discovered that the hacker that goes online with the moniker ProTag was the one who took credit for the data. It was also confirmed that the stolen data was authentic after contacting some Quidd users.

What Kind of Data was Stolen?

According to security researches, the stolen data included usernames, email addresses, and hashed account passwords (bcrypt hashing algorithm).

What can we Learn from this Breach?

The following are some of the things we’ve learned as a result of this data breach: 

1. In the aftermath of such data breaches, customers must be informed quickly and passwords must be changed or reinforced with multi-factor authentication methods. Even if the bcrypt hashing algorithm is very hard to crack, it could be quite easy to calculate the hash for weak passwords, and this is the work that some hackers were already doing on the Quidd dump. 

2. Quidd failed to promptly notify victims of the data breach of the types of information stolen. This resulted in massive damage to the company’s reputation as well as the ability of its customers to take quick actions and safeguard themselves. 

The article has been written by Harshit Agarwal, Co-founder and CEO of Appknox

(Disclaimer: The views expressed in the article are solely the author’s and so not reflect the opinions and beliefs of the website or its affiliates)