Essay: Info Security For U.S. E-commerce Website

Discuss about the Information Security for U.S. E-commerce Website.

Acer's e-commerce website hit by a customer data breach

In this part of the report, it will describe in detail a news story related to computer security breach in the month amid April to August 2016. It will discuss about the actual problem that the company faced and who all were the victims to the attack. It will also discuss about the attack procedure how it may have been carried out and what all could be the preventive measures in future ahead.

ACER, a Taiwanese MNC, famous for its hardware and electronics, suffered security breach of its U.S. e-commerce website, which left its customer’s confidential information exposed who made any purchase from the site in the last one year.   The number of users and clients affected by the attack has not been stated yet but in a draft letter sent by company to all its customers says that they are taking every possible measure to remediate this security issue and are even taking help of cyber-security experts from outside. In an article published by Peter Loshin, he gave the roughly idea of number of victims as 34,500. The breach was observed by the company in mid of June 2016 (Loshin 2016).

All the customers who have purchased any product from the U.S. e-commerce website of Acer between May 12, 2015 and April 28, 2016 are suspected to be the victim of the hacking. It is believed that their personal data has been compromised which includes full names, home addresses, email addresses, Phone numbers, credit card numbers, Validation dates and even CVV numbers which could result in loss of money from the bank accounts of customers. No evidence has been found for login credentials being hacked such as username and passwords of clients and customers or of any employee (Matei 2016).

Acer has asked its customers to keep a watch on their bank accounts and notify to the company in case any unauthorised activity observed.

Even though the company has not stated anything exact about the method used to carry out the attack and hack the website of the company, still the investigators are trying to build the scene of how the attack might be carried out (Stuart 2016). Investigators think that SQL injection is the one technique by which hackers might have manipulated the data out of Acer’s website. Websites have been vulnerable to this kind of attack in past also. The hacker announced publically through a blog that he already warned Acer in some manner about the bug bounty program which they should install but they didn’t seem to care about it and hence the loss (Stuart 2016).

Problem Statement

Acer has hired experts from the field of cyber-attacks and is investigating the attack. However the damage done already cannot be undone but it could be prevented in case any further attack takes place (Prabhu 2016). Groveunder, the spokesperson from Acer said that if the forms that have been filled by users to make a purchase would have been encrypted, then this type of mishap would haven’t take place at all. Acer gets major confidential data of clients on their website though fill-up forms and it is must for the company to have encryption techniques attached with the forms.

Also various other measures could be taken to prevent these types of attacks

Using SSL:

Amidst company’s database and website when the data transfer is taking place, the SSL protocol used to transfer the data which might be very confidential must pass through encryption (Prabhu 2016).

Install a Web Application Firewall (WAF):

It can be either software or hardware based firewall which sets amid data connection and company’s website server and detects data which passes through it. The majority of WAF’s coming in modern times is based on cloud. It blocks all the hacking attempts and even filters the undesired advertisements and spam mails. It is considered as one of the best way to avoid attack to the system (Keane 2016).

Install Security Applications:

Some free plugins are available online which adds an extra level of security to the website and it becomes difficult for hackers to attack the website for example Acunetix WP Security hides the identity of one’s website’s CMS and provides protection to it (Correa 2016).

Conclusions

The attack at Acer’s ecommerce website is another perfect example of cyber-crime and the presence of hackers into the network without a single clue of their presence (Keane 2016). The employees and other individuals need to be aware of every possible threat that could harm them or the company and should be very attentive to what is happening to their system. Hackers attacked the website for a whole year and no one was able to detect it, this shows the absence of awareness amongst its employees (Matei 2016).

Anthem medical data breach case 2015

Anthem Inc., an American Health Insurance company, is amongst nation’s largest health insurers and was in news for more than six months last year. Anthem Inc. suffered a major cyber-attack on Jan 29^th, 2015, leaving millions of customers of the company threatened for their identity for the entire life span (Whitney 2015).

Impact of attack

Anthem Inc. suffered a major cyber-attack to its IT systems. The motive of the attackers was to get personal data of the clients of the Anthem Inc. The spokesperson of the company released the news about the attack and security breach on 4^th Feb, 2015 (Mathews 2015). The investigators believed that the intruders hacked the system somewhere around mid-December 2014, and was continually hacking the information since then, till it was known. The spokesperson stated on 4^th Feb, 2015 that company’s servers and systems has been attacked and personal information of their former and present clients has been leaked which might be around 38 million. In another statement on 24^th Feb, 2016 the toll rose to 79 million approx. as it was stated by a member of the company (Riley 2015).

Anthem breach case affected mostly to its clients who are either present members or were former members of any plans associated with the company. Along with them, some members who take Anthem served health services such as members of Blue cross and Blue Shield plans might have suffered too. Some individuals who were offered any Anthem or non-Anthem plans by their employers reported that they are the part of suffered victims as well (Abelson and Goldstein 2015). Hackers intrude into the system to steal personal identifiable information about the clients of Anthem for example email address, birthdates, full name, home address, employment information, social security number and people who are the victim of this attack might suffer their entire life span for the identity theft related problems ( Abelson and Creswellfeb 2015).

The investigators did not found any clue regarding any information leak related to credit cards and bank accounts of anyone. Also no proof has been found for information leak related to medical information of the patient such as diagnostic codes, test results or claims (Abelson and Creswellfeb 2015)..

On 29^th of January, 2015, an employee at Anthems Inc. noticed that system is running an unknown query, yet very complex. Employee checked for the same thinking that some other employee from the company might have run it for a job, but after checking he found that query had been run from some external environment and is resulting in loss of information. Immediately an alarm was raised and in minutes it was known in the company that they have suffered a crisis owing to major cyber-attack (Mathews and Yadron 2015).

How was the attack carried out?

The team who investigated Anthem’s case stated that attackers might have sent an internal message to the employees which they make it as a mail from the company and employees got tricked to click to it and as soon someone might have clicked on it they gained access to the company’s admin page and hacked the credentials of one of the administrator along with five other employees of the company. A news channel also stated in news that attackers of the Anthem’s case belongs to China and had planned the entire scenario from there only. (Terry 2015). 

Hackers could have used Windows, Java or any such other equipment which might have been proved helpful to them to chase out the data. This was not cleared that whether the employees whose credentials were used to theft data contains the one who raised the alarm.

Anthem suffered an attack which could have been done either by an insider i.e. an employee of the company or it might be the work of outsider by phishing employees of Anthem to explore data from them. For an employee it’s a very easy task as he could use own credentials to get the data and if it was the work of an outsider then he might have confused an employee by a mail which might have looked as if from known person. Whatsoever the case be, hackers already intruded into the walls of the company’s website and whatever may the security measure be or firewalls, it would not have prevented the theft (Weise 2015).

Anthem also got covered up in a debate that it happened due to failure to secure data using encryption techniques. Few stated that whether it’s “on the wire” or “inside storage area” Anthem’s database was never encrypted, which was very crucial for if the data had been encrypted using modern techniques hackers wouldn’t have gained access to it without the keys and decryption technique. However, if the attacker is inside the company then encryption wouldn’t have been a successful step at all as they have access to all the keys owing to job purposes, hence not the proper solution to the problem.

In order to mitigate threats the three of the measures which could have been taken are:

Context Aware Access Control: CAAC is related to the authentication of identity that whether the user who is logged in is the authenticated user or not. System checks for every authentication session that where it is coming from, what platform is being used, what is the date and time and similar other things. Now even if an intruder phishes to get login credentials of some employee he will not be able to make use of it as this authentication session would prevent it.

Preventive Measures to stop further Attacks

Awareness: Cyber-attacks are very common nowadays and every day we come across one or the other news related to it. A proper attention should be given to this news that what method leads to the attack which could help anyone in future. Employees must be aware of what they are clicking at. Scam email campaigns are in very much trend now and one should be aware of that.

Behavioural Analysis: The Company must maintain a track record of employee’s activity and should randomly compare it with other employees who are on same designation which could be achieved using automated system analysis and whenever a questioning activity observed, employee’s account must be suspended temporarily.

Conclusions

After the attack, a security system at Anthem has been tightened and they now know the importance of security and secured operating systems. In case, they would have taken these steps before, Anthem could have defeated the trial of attack or may be the suffered loss would have been little.

References

Correa, D. (2016). “Unauthorised access leads to data breach of Acer's e-commerce site”, published in SC Magazine, Retrieved on 24^th August 2016 from https://www.scmagazineuk.com/unauthorised-access-leads-to-data-breach-of-acers-e-commerce-site/article/503833/.

Keane, J. (2016). “Data breach at Acer’s US website exposes names, mailing addresses, and credit cards”, Published in Digital Trends, Retrieved on 24^th August 2016 from https://www.digitaltrends.com/computing/acer-data-breach/.

Loshin, P. (2016). “Acer's e-commerce website hit by a customer data breach”, Published by Tech Target, Retrieved on 25^th August 2016 from https://searchsecurity.techtarget.com/news/450298892/Acers-ecommerce-website-hit-by-a-customer-data-breach.

Stuart, H. (2016). “Acer's Website Hacked, Customer Data Stolen”, Published by Dark Reading, Retrieved on 25^th August 2016 from https://www.darkreading.com/cloud/acers-website-hacked-customer-data-stolen/d/d-id/1325986.

Matei, M. (2016). “Acer’s Online Store Gets Hacked, Customer Data At Risk”, Published on AH, Retrieved on 24^th August 2016 from https://www.androidheadlines.com/2016/06/acers-online-store-gets-hacked-customer-data-at-risk.html.

Prabhu, V. (2016). “Acer U.S. Online Store Hacked; Breach Exposes Credit Cards, Names, Addresses”, Publshed by Tech Worm, Retrieved on 25^th August 2016 from https://www.techworm.net/2016/06/acers-u-s-webstore-hacked-names-mailing-addresses-credit-cards-leaked.html.

Riley, C. (2015). Insurance giant Anthem hit by massive data breach, Retrieved 23^rd August 2015 from https://money.cnn.com/2015/02/04/technology/anthem-insurance-hack-data-security.

Mathews, A. (2015). "Anthem: Hacked Database Included 78.8 Million People", Retrieved 24^th August 2015 from https://www.latimes.com/business/la-fi-mh-anthem-is-warning-consumers-20150306-column.html.

Abelson, R. and Goldstein, M. (2015). "Anthem Hacking Points to Security Vulnerability of Health Care Industry", The New York Times.

Weise, E. (2015). "Massive breach at health care company Anthem Inc.". USA Today. McLean, VA: Gannett. ISSN 0734-7456.

Whitney, L. (2015). "Anthem's stolen customer data not encrypted - CNET", Retrieved 23^rd August 2015 from https://krebsonsecurity.com/2015/02/data-breach-at-health-insurer-anthem-could-impact-millions/.

Mathews, A. and Yadron, D. (2015). "Health Insurer Anthem Hit by Hackers - WSJ", Retrieved 23^rd August 2015 from https://www.usatoday.com/story/tech/2015/02/04/health-care-anthem-hacked/22900925/.

Abelson, R. and Creswellfeb, J. (2015). "Data Breach at Anthem May Forecast a Trend - NYTimes.com". The New York Times. New York: NYTC. ISSN 0362-4331.

Terry, N. (2015). "Time for a Healthcare Data Breach Review Bill of Health", Retrieved 23^rd August 2015 from Center for Health Law Policy at Harvard Law School.