- SOAR 101
Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for May, 2018 is… the payment processing data breach at Rail Europe North America.
Rail Europe North America (RENA), a website used by Americans to purchase European train tickets, recently announced that it had discovered unauthorized access to its ecommerce platform, resulting in stolen customer data. The breach had been ongoing from November 2017 to February 2018, and went unnoticed until an inquiry from one of RENA’s banks.
The stolen data included: names, addresses, phone numbers, credit card information (number, expiration number, and CVV), usernames, and passwords. RENA is not disclosing how many users’ data were compromised. The site had more than five million users in 2017, so the potential breach is quite large.
Hackers managed to place credit card skimming malware on RENA’s website to steal personal information as transactions occurred. Most customer data breaches are from hacked databases. This breach is unusual because the front end of the website that processed payments was compromised, meaning that all the stolen credit card data was up-to-date, making it more likely to be lucrative for the hackers.
RENA has come under scrutiny for not discovering the breach for three months. Unfortunately, as we’ve seen previously in this series, this type of delay is not unusual. The signals of cyber attacks can easily get lost in the noise of false positives and unimportant alerts, so to spot breaches, organizations should do everything possible to make the signs of malicious activity clearly visible. This can be done by using orchestration and automation tools to take in SIEM alerts, enrich them with intelligence, analyze them for risk, and communicate them to analysts with a clear picture of their significance.
Based on the information RENA has released following their discovery of the breach, they seem to be taking the right steps in their response. They say they immediately severed connection to the compromised servers, rebuilt all affected systems from known safe code, and hardened security controls, among other actions. RENA is also working with third-party experts to conduct forensic analysis, and is offering free identity theft protection services to customers.
D3’s platform supports the entirety of an effective response process, from automated actions to quickly shut down compromised systems, to forensics case management and root cause analysis workflows. Companies can save money and reduce risk by proactively implementing a platform like D3, instead of scrambling to bring in third parties after an incident hits.
Fortunately for RENA, this breach was reported shortly before GDPR became enforceable. Going forward, the processes for customer data breach responses will be even more strict, and the potential consequences more severe. Check out our GDPR Overview Infographic for a brief description of the new regulation.
We’ll see you back here next month for a new Data Breach of the Month.