One of the most often touted cyber security statistics is the time between a breach occurring and the victim discovering they have been attacked. And then they only discover that fact via notification from a third party.
So on this basis the recent Weebly story looks to be pretty true to form. The slightly more concerning thing is that it has affected 43m accounts, which is equivalent to one account for every man, woman and child in Argentina!
It is worth putting this into context from a PCI DSS perspective. So here goes. Let's assume that a good many of the accounts that make up this 43m are being used to sell online, mostly I would guess in the US. Now as things stand the US is in the process of going down the EMV route, by introducing chip enabled cards. This serves to make customer present fraud much more difficult, however as is the case in Europe where 'chip & pin' has been used for sometime, sees fraudsters attention shift to the customer not present environments. So eCommerce merchants take the hit with both they and their acquiring banks suffering accordingly.
The problem is that where eComm is concerned, the majority of small/medium businesses (SMBs) turn to solutions like Weebly and various other services providers to carry the PCI DSS burden. Whilst the merchant remains responsible for compliance validation, the vast majority of the controls required to be in place in order to comply are very much in the hands of what they consider to be trusted third parties.
Whilst each individual merchant will no doubt have been notified of the breach, the extent to which they follow the guidance provided by Weebly cannot be measured. This in turn means that individual acquiring banks could be exposed to significant risk by dint of the fact that they could have tens of thousands of merchants all affected by a single incident.
The challenge is knowing who could be affected and taking proactive action to mitigate against what in theory could be a run of account data compromises. In part, a PCIDSS program will help - however, the chances are it won't provide a great deal of detail on which platforms an acquirer's merchants rely. What's more these merchants will be self validating compliance so there will always be an element of garbage in/garbage out as far what this is actually telling you.
As a PCI DSS Forensic Investigator (PFI), Foregenix has done a lot of work around risk profiling merchants from an external perspective - in effect taking a 'fraudsters eye view' of their websites. Using WebScan, eComm merchants are able to run free, regular checks on their website to understand if they are up to date, adequately patched or exhibiting any indicators of compromise.
Finally, I started by referring to the elapsed time between the compromise occurring and the victim knowing that they had been breached. Having bad stuff going on for 8 months is pretty scary, especially in a large enterprise, which is why Foregenix have recently adopted the Canary as part of our Data Forensics and Incident Response capabilities. More about that on another day!
Hackers have managed to steal information associated with more than 43 million accounts belonging to customers of Weebly, a San Francisco-based web hosting service that provides a drag-and-drop website builder. According to LeakedSource, the attackers stole 43,430,316 accounts after breaching the company’s systems in February. The compromised information includes usernames, email addresses, IPs and password hashes. Weebly has been in touch with LeakedSource and confirmed that the exposed information is genuine. The company has notified affected users and reset their passwords. On its website, Weebly claims to have more than 40 million users, which indicates that the breach has affected a large majority, if not all, of its customers. Weebly is still trying to determine the cause of the breach, but the company says it has already started improving network security.