Cyber Week in Review: Home Depot, Fitness Trackers & SAP

Media Division | March 24, 2017

Considering the instantaneous speed at which the digital age operates, it’s fascinating to see how dates don’t matter: digital data exists forever, security flaws sometimes last for years, and even SnapChat “deleted” data is recoverable.

So this week in cyber news, we see how the past continues to haunt you, and major DIY companies.

Home Depot’s Big Bill

A hot topic in cyber security has been who is ultimately responsible for a data breach.  If your identity is stolen, are you responsible?  If it involves a credit card number, are the banks responsible?  If a company or retailer is hit, do they pay for what you’ve lost?

Security breaches cost companies billions of dollars each year.  Because of the potential threat to brand reputation, some companies try to keep quiet about a data breach, just as banks often disguise a response to a robbery.

The tide is shifting, however, where federal governments are requiring companies to notify customers of potential security losses—if a healthcare agency is hacked, chances are they will be required to inform you that your personal information was potentially compromised, and even offer services such as free credit monitoring for a period of time.

When Home Depot saw 56 million credit and debit card numbers potentially stolen in 2014, banks bore the brunt of associated expenses: new cards were issued, and any potentially fraudulent charges had to be absorbed by the issuing company.

Well, the Credit Union National Association (CUNA) fought back, and recently a settlement to the tune of $25 million was made.  CUNA claimed that that single data breach cost credit unions $60 million, so the suit aimed to recover some of those costs.

Since that breach, many companies have switched to chip reading card technology and other measures to prevent loss of data.

Considering that a single breach can cost a company millions of dollars, upgrading to EMV seems like a minor expense.

Your Fitness Tracker Joined the Army

Fitbit, Microsoft Band, Apple Watch…fitness trackers are all the rage.  Considering that they first sprung up on the market just a couple of years ago, it seems these high-tech pedometers have taken on a life of their own.

And in another way, perhaps they have: your fitness tracker may have joined the robot army.

The internet of things (IoT) has created a robot (botnet) army, responsible for targeting businesses or slowing down the internet on the whim of hackers or nefarious governments.  Devices such as Blu-ray players, home security systems, toys and ATM machines have all been unwittingly recruited in recent years.  Such attacks are predicted to increase, including ransomware attacks that could target the devices themselves, hijacking or locking up your data.

Ransomware attacks tend to be largely successful, in part, because of low individual cost: wouldn’t most people pay $10 to have access to their FitBit restored?  Multiply that $10 times 10,000 people and suddenly you have a 6-figure payout to one individual hacker.

Hackers don’t even have to be all that skilled to participate in such nefarious activity: ransomware kits or hacker-for-higher (third-party resources) are readily available on the cyber black market.

The three biggest things you can do to keep your device out of the robot army?

  1. Change default usernames and passwords, on all devices, using unique names and passwords.
  2. Always backup regularly, so you could restore to a back-up in the event of a ransomware attack.
  3. Always update when updates become available. Updates aren’t really about feature upgrades, though those are sometimes included, but more often are about security flaw patches.  When you skip an update you sign up to expand the deadline on a zero-day vulnerability.

Speaking of Vulnerabilities…SAP

SAP (Systems, Applications, and Products in Data Processing), is the Germany-based largest software developer in Europe.  SAP’s HANA (“Hasso’s New Architecture,” the most common database system used by SAP technologies, originally developed through Hasso Plattner Institute and Standford University).

If those names are unfamiliar, look at it this way: SAP is huge and HANA’s what they use…so a bug of this proportion is big news.

In fact, SAP can claim an estimated 87% of the top 2,000 global companies as customers, and a function of HANA known as “User Self-Service” (USS) has been found to have a flaw, which could allow internal or remote infiltration.

Fortunately, SAP acted quickly and issued a patch in record time.

Whether or not that patch will be implemented by businesses is another story altogether—some companies notoriously take years before performing system updates and implementing new patches.

Consider it the equivalent of leaving the business doors unlocked, with a sign on the window informing everyone that you have done so—the news of these security flaws have been well-publicized.

Prevent security breaches by updating applications of every kind.

And until next week: enjoy the headlines, but stay out of them.

MEDIA DIVISION
Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.