You say Zomato, I say…data breach

It’s not very often that a breached company will establish contact with their hacker, open a dialogue, and make deals.  That’s what makes this story pretty amusing.  Zomato, India’s largest online restaurant app, experienced a breach last week that saw information from 17 million of its users stolen, and put up for sale on the dark web.  The asking price for the whole cache, including email addresses and hashed passwords, was just over $1,000, the company reported early on in a blog post.  Customers’ payment information was wisely stored elsewhere, in a secured PCI Data Security Standard compliant vault.

Only hours after confirming the attack, however, Zomato stated that they were in contact with the hacker (who goes by the handle “nclay”), claiming he had been “very cooperative.”  One of his goals, explained the intruder, apparently was to alert the company to security shortcomings in its system.  I’d say that message was received, given the company’s acknowledgment.

Interestingly, Zomato is even complying with a specific request from nclay, to run a bug bounty program on Hackerone.  In exchange, the hacker agrees to destroy all copies of the stolen data and remove it from auction.  Such “ethical hackers” are a rarity in cybersecurity incidents.

Overall, this story highlights how security software flaws can still be a vulnerability for a company.  Due to these attacks, especially WannaCry, organizations are re-evaluating their security and privacy policies and procedures.  Nobody wants to be the next headline, after all.  To avoid falling victim to an attack, there are several steps businesses can take.  Patching operating systems on a regular basis is a good place to start, as well as keeping all software updated.  As always, educating employees on how to spot suspicious and potentially malicious attachments, and to avoid being tricked as so many often are, can also reduce a business’ risk going forward.  A company should likewise configure employee access to only the most necessary resources, restricting who has permission for more critical data (permissions which facilitate the spread of malware like WannaCry).  Monitoring behavior patterns across the network will help detect anomalies, and integrating rather than separating one’s security strategy for new technology will prevent a company from falling behind.

Above all else, though, organizations should ensure the data itself is encrypted.  Incentives for this continue to crop up.  In the wake of WannaCry, the response from the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS) was to emphasize presumption that a breach has a breach has occurred in the event of a ransomware attack.  Consequently, the affected entity will be subjected to breach notification standards by default, unless it can show a “low probability that the PHI has been compromised.”  Essentially, this means that encryption prior to the incident can help gain an exemption from the rules.

So, there you have it.  If you want to mitigate the hassle brought about by a breach, encrypt.  Otherwise, you’ll have to count on having Zomato’s luck in dealing with your hacker.


By: Jonathan Weicher, post on May 25, 2017
Originally published at:
Copyright: NetLib