Leading Retailer Stops Massive Credit Card Leak Data leaks can be a financial disaster for a company. Find out how to identify and take action to prevent breaches.
A major US retail site had a severe incident where customer credit card numbers were leaked to website URLs on sensitive pages along the customer journey. Consequently, all the 3rd and 4th party services that collected URL data on these pages also received credit card information which could be used for unethical/ unlawful purposes. This breach potentially affected hundreds of thousands of customers, putting the company at significant risk and liability.
Namogoo’s Customer Privacy Protection alerted the retailer to the initial data leak and continued to notify the company of subsequent leaks until the incident was entirely resolved. Using Namogoo, the company could readily see all the 3rd and 4th party services that had access to the sensitive data; to notify them of the breach and that they were inadvertently collecting PII and PCI data. The retailer was further able to identify any impacted customers to remove illegal purchases from their accounts/credit cards.
This leak could have been a massive financial disaster for the company. Instead, the incident was promptly identified, relevant parties were notified, and actions were taken to mitigate any negative impact from the breach before it became a more damaging problem.
Credit Card Details are Leaking to 3rd Party Vendors
The challenge now faced by the retail site was to identify all the services, 3rd and 4th party, running on these sensitive pages that collect and/or send back URL data. They further needed to notify the service providers of the incident and ask them to delete all sensitive data. Identifying these vendors by manually mapping all services running on their site, across all user populations, was not feasible within the given period of time.
Even after engineering and security teams thought they had resolved the problem, Namogoo’s Customer Privacy Protection found additional instances still happening.
Visibility | Analysis | Mitigation
It was evident the company needed to mitigate the risk of this problem immediately and find a way to estimate the risk that such an incident would happen again. They needed full visibility into whether the leak was still happening and if so, at what volume. Having insights into all the 3rd and 4th party services running on their site was the beginning. But, knowing exactly what information was collected by each of these services and where, was key.
The retailer was relieved to learn that Namogoo’s Customer Privacy Protection was able to give them the visibility they needed to rectify the problem in its entirety. Customer Privacy Protection offered full visibility into the raw data so they could see if the problem was still occurring and measure its scale. It gave them total visibility over the entire service ecosystem interacting with their website including not only 3rd party services, but 4th party services as well with the ability to isolate any particular user population of interest (by device type, operating system, browser, geo) and site section.
This level of visibility was truly an eye opener as they hadn’t realized just how many 4th party services had access to their eCommerce site. Moreover, they could readily see all the connections between 3rd and 4th party services and identify chains of services sending data to each other on any site section or page.
2. Incident Analysis
Most urgently the retailer needed to deal with the impact of the breach at hand. To this end, Namogoo offered intelligent insights to identify if the incident was still occurring — in this case if credit card information was still propagating a page URL — as well as information to analyze its impact. With Namogoo’s Customer Privacy Protection they were able to see:
- when the incident began, if it is still happening, and daily volumes
- which 3rd or 4th party services were running on the sensitive pages when the incident occurred
- what data was collected and where – on which page and/or section
- to which audience (device, browser, OS, site section, geography)
- the volume of credit cards affected
- the actual credit card numbers so they could check these against business activities and identify if anyone had made a purchase
Now the Company had the information they needed to ensure their 3rd party service providers weren’t collecting information they shouldn’t be privy to and they could take the necessary actions where warranted.
3. Risk Mitigation
While analysis of the recent breach was imperative, it was critical that the retailer have the ability to know immediately if a similar incident occurred in the future. To this end, Customer Privacy Protection afforded an excellent mechanism to alert them if:
- a new service was added to the site (3rd or 4th party)
- new information was suddenly being collected by 3rd or 4th party services — what type of information and where (site page/section)
Thanks to Namogoo alerts, the retailer no longer needs to worry if a breach has occurred that they are unaware of. They can investigate and take immediate action to minimize their exposure and risk.
As a result of the information provided by Namogoo’s Customer Privacy Protection, the retailer was equipped to address the breach at hand as well as mitigate the risk of similar incidents happening in the future.
The insights provided enabled them to:
- assess the extent of the breach and its impact
- take immediate action with the relevant 3rd and 4th party service providers to remove the sensitive information from their databases
- identify any impacted customers and negate the impact the breach had (removed illegal purchases from their accounts/credit cards)
- set up alerts to mitigate the risk of similar incidents from happening in the future.
Following this incident Namogoo began working with top retailers in the US to help them mitigate similar risks especially during the holiday season.