One of the most often touted cyber security statistics is the time between a breach occurring and the victim discovering they have been attacked. And then they only discover that fact via notification from a third party. 

So on this basis the recent Weebly story looks to be pretty true to form. The slightly more concerning thing is that it has affected 43m accounts, which is equivalent to one account for every man, woman and child in Argentina! 

It is worth putting this into context from a PCI DSS perspective. So here goes. Let's assume that a good many of the accounts that make up this 43m are being used to sell online, mostly I would guess in the US. Now as things stand the US is in the process of going down the EMV route, by introducing chip enabled cards. This serves to make customer present fraud much more difficult, however as is the case in Europe where 'chip & pin' has been used for sometime, sees fraudsters attention shift to the customer not present environments. So eCommerce merchants take the hit with both they and their acquiring banks suffering accordingly. 

The problem is that where eComm is concerned, the majority of small/medium businesses (SMBs) turn to solutions like Weebly and various other services providers to carry the PCI DSS burden. Whilst the merchant remains responsible for compliance validation, the vast majority of the controls required to be in place in order to comply are very much in the hands of what they consider to be trusted third parties. 

Whilst each individual merchant will no doubt have been notified of the breach, the extent to which they follow the guidance provided by Weebly cannot be measured. This in turn means that individual acquiring banks could be exposed to significant risk by dint of the fact that they could have tens of thousands of merchants all affected by a single incident. 

The challenge is knowing who could be affected and taking proactive action to mitigate against what in theory could be a run of  account data compromises. In part, a PCIDSS program will help - however, the chances are it won't provide a great deal of detail on which platforms an acquirer's  merchants rely. What's more these merchants will be self validating compliance so  there will always be an element of garbage in/garbage out as far what this is actually telling you. 

As a PCI DSS Forensic Investigator (PFI), Foregenix has done a lot of work around risk profiling merchants from an external perspective - in effect taking a 'fraudsters eye view' of their websites. Using WebScan, eComm merchants are able to run free, regular checks on their website to understand if they are up to date, adequately patched or exhibiting any indicators of compromise. 

Finally, I started by referring to the elapsed time between the compromise occurring and the victim knowing that they had been breached. Having bad stuff going on for 8 months is pretty scary, especially in a large enterprise, which is why Foregenix have recently adopted the Canary as part of our Data Forensics and Incident Response capabilities. More about that on another day!