Data breaches are always big and bad news. But we can learn from them too, our Head of Development talks through some lessons to be learnt from Jewsons’ breach.
On Monday (13th November) Jewsons Builders Merchants, part of the Saint Gobain group, had to take their website offline as it announced it had suffered a data breach affecting anyone who had used their website between 23rd August and 3rd November 2017.
A letter sent to customers by Jewsons states: “As a Jewson Direct customers, we regrettably are writing to inform you that our website (www.jewsondirect.co.uk) has suffered a security breach and, as a result, your personal data including your credit/debit card details may have been compromised.”
The company warned customers that the data stolen during the breach may include names, as well as their password, email address, location, billing address, telephone number, payment details, card expiry dates, and CVV numbers. They state that they “may” have fallen into the hands of an “unauthorised person”.
What Jewson did right
- When Jewson became aware of the breach they immediately took their website offline
- They notified their customers in writing and offered them 12 month memberships to Experian ProtectMyID to help protect their data from being used for fraud
- They got a forensic analysis/PCI Forensic Investigator (PFI) company involved
What will happen next for Jewson?
- They will have to engage with a PCI Forensic Investigator (PFI) to establish the source of the breach and to ensure any security holes are closed
- They will have to engage with their acquirer and payment gateway and seek accreditation/re-accreditation for PCI-DSS. This will likely involve considerable changes to process, to ensure customer data is kept safe
- In their letters to customers they state they have got a forensic analysis team involved to fully evaluate the impact. Once the team has confirmed the attack vectors have been addressed the website may be bought back online
- A spokesperson for the ICO has said they’re aware of the breach and will be making enquiries. The ICO could choose to fine Jewson if they have been found to be negligent
What can you do to protect my business and customers?
PCI DSS Compliance
Ensure you’re PCI DSS compliant or at least engage with a Quality Security Assessor (QSA) to start the process.
What Magento offers
Magento provide excellent support to their customers, ensuring Magento and all of its dependencies are actively patched as security vulnerabilities are found. As Magento is a dedicated ecommerce platform, security is paramount to its success. This is shown most clearly with the efforts and resource Magento put into its security activities. For instance:
- Magento 2 is built on a modern technical stack using popular and well maintained frameworks
- Magento Commerce (formally Magento Enterprise) comes with a host of features that assist in the day to day of preventing cyber attacks:
- Brute Force protection on admin accounts
- Password rotation policy forcing users to set a new password every X days
- Strong data encryption
- Magento have released the Magento Security Scanner. Make sure you or your agency have the Magento Security Scanner setup to run a daily or weekly report on your website. This is maintained by Magento, and is updated with all the latest security threats allowing you to keep ahead
- You can keep up to date in Magento’s Security Center and subscribe to the security newsletter that will notify you of new patch releases and vulnerabilities
- Magento offer rewards to engineers and security researchers that discover vulnerabilities in the software. This is handled via Bugcrowd which is also used by the likes of Netgear, Mastercard and Tesla
Education and internal policy
Education is one of the strongest tools in your arsenal against cybercrime. Tools and software can take you so-far, but everyone that is part of managing your online business needs to be part of the battle against a potential security breach.
Here are some simple things you can do within your business:
- Subscribe to the Magento Security Newsletter this will notify you of any security patches that have been released or security issues you should be aware of
- Educate your staff on good password process. At JH we have a strict internal password policy and password management tools that make sure all the passwords we use are randomly generated within LastPass and as strong as possible.
- Use and enforce Two Factor Authentication wherever possible, especially on your email accounts. This usually involves an App on your phone, to authorise a new device logging into your account. You’ll also be notified when a new device is used, flagging potential misuse
- Restrict access to your website admin to only those who need it and limit their access to the specific areas they need. You should also restrict your admin to specific IP addresses so it isn’t accessible to the public domain
- Ensure you’re PCI compliant and complete PCI accreditation
- Work with a forensic analysis company for bi-annual penetration testing
- Regular security audits by your Magento Solutions Integrator, Hosting Company and independent 3rd parties
- If your Magento Solutions Integrator doesn’t provide security audits – work with one that will alongside your existing relationship to ensure you’re covered
Third party tools
- Make sure your website has all the latest patches installed. The Magento Security Scanner will do that but there are also other tools such as https://www.magereport.com/
- The use of security services such as https://detectify.com/
Secure your site today
We hope the lessons from Jewson have you protecting your site going forward and that security is made a regular part of everybody’s routine. All too many will only react after they’ve been breached, and we hope the steps outlined in this post help your organisation become proactive.