Step into the breach
For the cybercriminals who stole details of SuperValu, Axa and Clerys customers last week, names, emails and phone numbers can be as valuable as credit-card data. How big is the risk to consumers?
When small files started being discreetly downloaded from computers in a grey Ennis office block four weeks ago and making their way through cyberspace towards the shadows of the “dark net”, it went almost entirely unnoticed. More than a week passed before anyone realised something was amiss. Then all hell broke loose.
Although it has more than three million customers across Europe, until last week only a handful of Irish people had heard of Loyaltybuild, a Co Clare-based company that takes bookings for rewards schemes offered by retailers and service providers.
In a chain of events that started in the middle of October, sensitive personal details of about 1.5 million people have been stolen by as yet unidentified criminals. Retailers and service providers in Ireland and across the EU are embarrassed, and Loyaltybuild has shut down its booking service as it fights to regain control of the situation.
The story broke in this newspaper last week, but the company played it down. On Monday it emerged that the problem was worse than it had initially said. The credit-card details of 376,000 people across Europe had been stolen by criminals in what industry sources say was the largest data-protection breach in western Europe in the past three years.
And it kept getting worse. Through the week the numbers climbed until 1.5 million people were found to have had their personal information compromised, with details such as names, addresses, phone numbers and email addresses also stolen in the cyberattack.
SuperValu, Axa, ESB, Clerys, Centra, Pigsback, Postbank and Stena Line all fell foul of the security breach. SuperValu fell hardest. Seventy thousand of its most loyal customers – those who had booked holiday breaks with the retailer – have had their credit-cards details stolen.
The Office of the Data Protection Commissioner has launched an investigation. It says key questions it has asked Loyaltybuild remain unanswered: how the breach was allowed to happen and why Loyaltybuild stored for years the three-digit security code found on the back of all cards, in breach of data-protection rules.
The Garda is investigating too, but sources hold out little hope that the criminals will be brought to court, as all the signs are of a cyberattack from outside the State. This would make it difficult, if not impossible, to bring anyone to justice.
Last month Brian Honan was appointed special adviser on internet security to Europol’s European Cybercrime Centre after being at the vanguard of the fight against hackers in Ireland for nearly 20 years. He has been following developments this week with a keen eye.
“You do have the archetypal hacker, the kid in his bedroom, testing systems for kicks, but this seems more organised,” he says. He suggests the attack was done not for kicks but for cash. “There is an electronic ecosystem for the criminal underground, and there are people who spend their time looking for weaknesses and vulnerabilities, which they can then sell on.”
While much of the information has focused on the credit-card theft, the theft of other personal data is as serious, Honan says. “When they find credit-card details it’s a bonus, but criminals are after all personal details. Names, email addresses and phone numbers can sell for between $1 and $5 – the same price which is put on credit-card details.”
Honan says those who hacked into Loyaltybuild may never use the data but instead seek a third party who could take advantage of the details. “There are forums on the dark web which are hosted in countries which don’t care about this stuff, and you won’t be able to access them without a reference from someone already on the inside,” he says.
A key tool is TOR, or the Onion Router. This network, which is used by pornographers, drug dealers, hit men and hackers with information to sell, can conceal a user’s location or computer from anyone conducting surveillance or traffic analysis by routing traffic through multiple randomly selected servers in the TOR network. Traffic is encrypted over and over again, making it almost impossible to trace.
The people with the skills to break into systems such as Loyaltybuild can be based anywhere, and, according to Honan, they do so “because they want or need the money – it is that simple. They may have all the computer skills but may live in a country where there is very high unemployment or no digital infrastructure in place to reward them in more traditional ways.”
And sometimes companies make it too easy for them. “I think a lot of companies have embraced technology without really assessing the risks and putting in the proper controls to ensure they are protected,” Honan says.
“Today a lot of companies are trying to keep their heads above water by keeping their costs down, and many would happily spend €20,000 on a marketing campaign to drive new business but never spend it on security for something that might not happen. But they always have to count the cost of being caught out.”
Recent research by Deloitte and the security firm EMC found that the average cost of a cybercrime incident for Irish organisations over the past year was €135,000. “This latest attack shows that Irish organisations need to defend themselves from attack by having increased visibility of the threat and being able to stop the breach quickly,” says the company’s Irish director, Jason Ward. “This can be done through security analytics, which involves collecting reliable cybersecurity data, and researching prospective cyberadversaries to better understand risk and learn about why and how attacks occur.”
Individuals can also play a role in combating cybercrime. People who have had their personal details compromised are susceptible to email and telephone scams. They need to be on their guard – as does everyone.
“People have to protect themselves against all these risks, and they have to be sensible,” says Honan. “If I walked up to you on O’Connell Street and said I was from Bank of Ireland and asked you for your bank details, you wouldn’t give them to me, yet too many people give them away because they have got an email.”
Many of the stolen details are ‘worthless’
Despite this high-profile theft, the risk to people’s cash today is minimal, says Una Dillon of the Irish Payment Services Organisation (Ipso). A huge volume of the infomation stolen was worthless, as the cards had expired.
“I wouldn’t be overly concerned if one of my cards was caught up in this,” Dillon says. “Even in the worst-case scenario – one in which my card was used fraudulently – my card provider will refund me everything that is taken”
Although a valid credit card can fetch up to €5 on the black market, depending on its credit limit – gold and platinum cards command the highest prices – it is not so simple for fraudsters to cash them in. Card details taken in a hack like this are more difficult to clone.
“There is very little that criminals will be able to do with these cards,” says Dillon. “They could be used to buy high-worth products online, which are then sold for cash, but the information can’t be used to withdraw cash at an ATM, for example.”
And if criminals can turn the cards into cash, who pays the ultimate price? Retailers. If a shop sells a television online, the onus is on the retailer to prove that the buyer is the card owner and that the transaction is legitimate. If they fail to do this, the credit-card company will pursue them for recompense.
The only way an online retailer can protect itself is to use a 3D Secure system of payment – displayed on screen as Verified by Visa or MasterCard SecureCode, among other names – which is why this second layer of security is growing in popularity, with retailers if not consumers.
It may be that, after this attack, the main thing lost will be confidence: in the company, in data security and in the world of digital information.
Whether that makes any difference to how we buy goods remains to be seen.