In little over a week — and around the Cyber 5, the busiest sales time of the year — two online retailers and a distributor of dental products suffered different types of data breaches that put customers’ privacy at risk.
Office supplies retailer Staples was the victim of a data breach after Thanksgiving. Ancestry-testing company 23andMe confirmed on Dec. 4 that an outside source accessed customer data. Dental products distributor Henry Schein suffered a data breach days before Thanksgiving, as well as one in October.
Staples Inc. is No. 14 in the Top 1000. The database reflects Digital Commerce 360’s rankings of the largest North American online retailers based on their web sales. 23andMe Inc. ranks No. 317.
How do the cyber attacks compare and differ?
The incidents are not all the same, though, according to Jon Marler, cyber evangelist at VikingCloud, a cybersecurity and compliance company. Marler and his team develop solutions for clients to deal with evolving cyber threats.
The 23andMe incident was not a data breach in the traditional sense, he said, based on publicly available information. According to the company’s statements, the culprit (or culprits) stole customer data, but they did so by exfiltrating via credential stuffing, Marler said.
“What that means is that there was a very large group of customers using the same password for multiple websites,” Marler said. “This is a very well-known security problem that has gotten a lot of media attention in the past. This user practice has created a very large corpus of logins and passwords — usable on many sites — on the dark web.”
On the other hand, the Staples and Henry Schein attacks appear to have been detected internally, he said, leading the companies to initiate incident responses.
“This is what we expect to happen, and with data breach disclosure laws, we expect to hear about these hacks more often. In the past, without disclosure laws, these types of incidents would not be known externally,” Marler said.
Is the timing of the cyber attacks significant?
“We have known for a long time that cybersecurity attacks ramp up during the holidays. This is the busiest time for online retailers, and attackers know it,” Marler said.
He said attackers launching ransomware attacks that shut down online business during the peak season have a higher likelihood of getting paid. Attackers know that people take time off during the holidays, he said. That leads to less attention to cybersecurity, he added.
“Couple that with increased traffic to ecommerce sites, and you get perfect conditions for launching attacks, or initiating the encryption payload for an existing hack that has been waiting to ripen,” Marler said. “It is extremely important to maintain vigilance during busy periods when the cost of failure is exponentially greater.”
Retailers address holiday data breaches
Staples’ cybersecurity team identified a risk on Nov. 27, according to a company spokesperson.
“We took proactive steps in an effort to mitigate the impact and protect customer data,” the spokesperson told Digital Commerce 360 in an emailed statement. “Our prompt efforts caused temporary disruption to our backend processing and delivering capabilities, as well as our communications channels and customer service lines.”
The Staples spokesperson continued, saying the retailer’s fulfillment supply chain “is now fully operational.”
“We continue to process incoming orders in normal course,” the Staples spokesperson said. “Our retail locations are operating normally. We continue to experience disruption to some of our communications channels and our customer service lines. Many business applications are already working and others are expected to roll out in priority order shortly.”
Meanwhile, a 23andMe spokesperson told Digital Commerce 360 via email that a “threat actor” accessed data from about 5.5 million DNA Relatives profile files. Additionally, the culprit (or culprits) accessed the Family Tree profile information of roughly 1.4 million customers who participated in the DNA Relatives feature.
What kind of 23andMe ancestry data was accessed?
The 23andMe spokesperson said the company is in the process of notifying affected customers. It has also taken steps to further protect customer data, the spokesperson said. That includes requiring all existing customers to reset their passwords, as well as requiring two-step verification for all new and existing customers.
“Based on our investigation, we have determined that the threat actor was able to access a very small percentage (0.1%) of user accounts (~14,000) in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available,” the 23andMe spokesperson said. “Of note, we do not have any indication that there has been a breach or data security incident within our systems, or that 23andMe was the source of the account credentials used in these attacks.”
23andMe provided information on the type of data it includes in each profile.
DNA Relatives profile:
- Display name.
- How recently they logged into their account.
- Their relationship labels.
- Their predicted relationship.
- Percentage DNA shared with their DNA Relatives matches.
- Also may include:
- Their ancestry reports and matching DNA segments (specifically where on their chromosomes they and their relative had matching DNA).
- Self-reported location (city/zip code).
- Ancestor birth locations and family names.
- Profile picture.
- Birth year.
- A weblink to a family tree they created.
- Anything else they may have included in the “Introduce yourself” section of your profile.
Family Tree profile:
- Display name.
- Relationship labels.
- May include:
- If the user chose to share, birth year and self-reported location (city/zip code) information.
- The Family Tree feature does not include the percentage of DNA shared with their DNA Relatives matches, ancestry reports or matching DNA segment information.
Do you rank in our database?
Submit your data with this quick survey and we’ll see where you fit in our next ranking update.
Stay on top of the latest developments in the ecommerce industry. Sign up for a complimentary subscription to Digital Commerce 360 Retail News. Follow us on LinkedIn, Twitter and Facebook. Be the first to know when Digital Commerce 360 publishes news content.Favorite