Cyber Criminals, Furlough and the PCI DSS

The UK went into lockdown on March 23rd 2020  and the government introduced to us a new word “furlough”. Of course, 99.9% of us had never heard of this before but many welcomed the fact that they would be able to sit at home on 80% of their wage. It was also on this momentous day that the wizened old man, Woodstradamus, made his prediction that cyber criminals wouldn’t be furloughed and they would carry on doing what they do.

Only it wasn’t that bold of a prediction, it was actually like betting on the Harlem Globetrotters to win (or Michael Jordan’s Bulls if you’re still lockdown bingeing Netflix).

Within the last two days two large retailers have admitted to security breaches. Yesterday, Claire’s Accessories and today the online multisport giant, Wiggle. This post, however, is not about taking shots or ‘naming and shaming’ if you want to do that, feel free to peruse every security salesman on LinkedIn as they sell the magic bullet that would have stopped these attacks … apparently.

Of course, Claire’s are now carrying out an investigation (most probably a PCI Forensic Investigation) to understand how the breach occurred, however, Sky News are reporting that the breach was a result of a Magecard skimming attack.  More information can be found at: https://news.sky.com/story/shopped-with-claires-online-hackers-may-have-stolen-your-card-details-12007303

Wiggle’s appears to be a slightly different attack, it’s been reported that attackers have breached customer accounts and have ordered various items to be distributed. It would appear that they only found out of their breach via Twitter. An announcement from Wiggle is expected imminently.

Both of these attacks are believed to have started during the lockdown period, although this is to be fully confirmed. What this tells me is:

  • IT departments are over-stretched, especially trying to move a whole work force to mobile working, security is being over-looked
  • PCI DSS is still a thing!

When speaking with one of our Qualified Security Assessors (QSA) about these breaches I was met with a “what’s new?” response – believe it or not, QSA’s can be more sarcastic than the author of this piece!

The common theme is that even although the Payment Card Industry’s Data Security Standard (PCI DSS) is a mature programme, it is often doomed to failure within certain businesses. More times than not, we find that businesses are failing at the scoping stage and could use a little help initially.

Ultimately, speaking with a QSA at the beginning and getting your scope right in the first place will reduce your risk profile, save you time and, most importantly (to some) save you money. Many businesses avoid using a QSA as they can “self-assess” and guess what, when they have a breach, they’ve done the wrong thing!

Of course, PCI DSS is not the be all and end all, there are a plethora of security standards out there and, let’s be honest, nobody will be truly bullet-proof. When picking a strategy (unless mandated) it’s often a case of ‘pick your poison’. What is important though, is safeguarding data and minimising the risk of a cyber-attack.

Many companies do not have the luxury of an over-resourced cyber security team and, let’s be fair, it’s impossible to be all things to all men. It begs the question of how often you review your cyber strategy and perhaps more importantly, how often do you test that strategy is working?

Don’t let the criminals test it for you.