This year it was discovered that hacking collective Magecart were behind the data breaches of at least 800 e-commerce sites around the world, exploiting failures in client-side website security.
As the high-profile hacks of 2017-2018 have shown, the stakes for companies suffering data loss are extremely high: Gemalto recently found that 70% of customers said they would leave a business following a data breach. This is a threat from which even the largest organisations can be at risk. In a recent study RiskIQ identified 100 ‘top-tier victims’ of Magecart, which they said included ‘mainly online shops of some of the largest brands in the world’.
Despite these huge risks, a study we carried out in September 2018 found that 46% of enterprises believe they have a probable or greater risk of a website data breach. Even more shocking was the discovery through our research that 13% of organisations surveyed only review the security of their customer data once every six months
The devastating impact for a business suffering from a security breach may seem obvious, however a data breach often includes several unforeseen damages on top of large fines.
Firstly, customer loyalty can be damaged when a business experiences a security breach. Data from the Ponemon Institute found that 31% of people actually terminated their relationship with an organisation following a data breach.
Secondly, a data breach will often force an organisation to divert a substantial amount of time and resource into dealing with the fallout. All areas of the business will be involved in the aftermath of a data breach, potentially forcing other projects to be placed on hold while the problem is rectified.
The injected malicious code has been found to steal customers’ personal and financial data as it is entered into the site, and even redirect customers to a malicious domain to conduct fraudulent transactions.
These exploits that lead to payment detail and data theft have been referred to as formjacking, payment card skimming, as well as digital credit card skimming. These are not the only types of data breaches that can occur from an insertion of malicious code into a website, but perhaps are among the most impactful as the site owners can be completely unaware their customers’ data is being stolen.
In order to protect your site against formjacking and compromises of your website supply chain, you need to consider the following questions:
· Do you know which third-party vendors are operating on your website? How do you guarantee this?
· Can you ensure that third-party technologies on your site can’t capture sensitive information? How do you go about this?
· Can you ensure that the end script is the one which is permitted? How can you double check this is still the case?
· Can you control what content is being loaded into the third-party requests? If an unvalidated script was accessing card payment details on your site, would you be able to immediately stop it?
If there is any doubt about the answers to any of these questions, extra precautions must be taken.
· Whitelist and enforce which third-parties and which scripts are allowed to operate on your website.
· Use Website Data Leak Prevention, so that if a trusted third-party script is compromised you can prevent any alterations to your site and stop any leaks before they take place.
If you want to understand how Ensighten helps with the mitigation of formjacking, and how we can help you mitigate against potential risks within your website supply chain then please get in touch to request a demo.