Paying For Coffee With Your Cup?
June 11, 2019Stop Credit Card Fraud By Renewing Your Domain
June 24, 2019We’ve seen a rash of data breaches in the past few years, too many in fact. As part of the fallout people have had their credit card information stolen and as a result many people have paid a service to help them when it comes to identity theft. Unfortunately for the customers of Lifelock they may have just exposed their customer’s records to potential criminals.
The Vulnerability
A vulnerability on their site was discovered that allowed anyone using a web browser to index the email addresses associated with the accounts. That would be almost everyone visiting the site. It also allowed anyone to unsubscribe a particular person or the entire list from receiving emails from LifeLock. This vulnerability allowed potential attackers to not only harvest the email address of every single LifeLock customer but to turn around and phish those people. With over 4.5 million accounts this would be a significant haul.
When the vulnerability was discovered LifeLock’s parent company Symantec took the site offline. What happened was that an email would be sent out and if that person clicked the unsubscribe button a webpage opened and at the end of the hyperlink was a subscriber key which could be changed in the address bar and would bring up the record of that particular customer. Writing a script to harvest all of that information proved to be very easy as a security expert and former LifeLock subscriber proved and reported to Cyber security expert Brian Krebs.
The Problem Was Not With Lifelock
It turns out that the issue actually was caused by a third party and was quickly fixed. Symantec claimed that outside of the email addresses discovered by the researcher no other customer records were compromised. Unfortunately this kind of issue has become all too common and it just proves how potentially vulnerable information is on the Internet. At least they did not deny that they had a problem on their hands and worked to fix the issue.
At JLE Business Consultants we push PCI compliance and its benefits. One of the components of PCI compliance is making sure that any third party that handles customer information is also compliant. In this case it seems like while LifeLock may have been compliant their third party was not. Your security is only as good as your weakest link and by using a third party service you take part of that out of your control. With many cases that is not bad as these companies take this seriously but in a case like this there could be far reaching consequences. LifeLock may had dodged a huge bullet in this case but the next company may not be so lucky.