In this case, an employee went on a spending spree using company gift cards for an e-commerce store. But how did it happen, and what can you do to prevent the same thing from happening to you?
A disloyal employee in a top e-commerce company decided they would “prove” that there weren’t enough security measures in place to protect customers. Unfortunately, they did so by contravening security policy and theft.
Using the audit login, the employee gained read access to the CRM where all the codes for gift cards were stored along with the card owners’ personal data. Additionally, all gift cards have an expiry date, meaning that if they aren’t used by a particular date, the funds on them can no longer be used.
The employee searched for gift cards that were due to expire in the coming day or two and copied the personal data of the cardholders and the gift card numbers. They then created a new account on the e-commerce website, registered the card and impersonated the purchaser of the gift card. The employee then made purchases from the e-commerce store, with orders sent to collection points that were located in the vicinity of the address of the gift card purchaser.
As you can see, the shrewd and devious thief employed a complex scheme to cover their tracks on top of using the audit login. Because of this, it took some time to uncover the theft – several weeks – during which time the value of the funds spent ran into the tens of thousands of dollars.
Logs in the CRM would have usually shown that customers are making requests, but they began to show that the audit login was constantly searching the database and delving into client data. It was also logged that a table with around 10,000 customer addresses was also copied. The attacker tried to do this quietly and dodge the monitoring, copying the table over several weeks. This didn’t help, and the logs were the thief’s downfall.
When they were caught, the employee claimed that they were proving that there were holes in the system as part of their job.
In this case, gift certificate data and customer personal data should not have been stored in the same place as this allowed the thief to exploit the system.
First of all, the audit login shouldn’t have been able to see the data unencrypted. Secondly, the employee was given excessive access to their role at the company.
Lastly, the e-commerce company could have put a verification mechanism in place to activate the cards. For example, they could have employed SMS or email authentication to use the gift cards.
You need to monitor privileged user accounts, even those accounts that are used to protect or audit the security systems. Monitoring everything should be a priority in any business. Secondly, you shouldn’t store personal data so that it is accessible to those that don’t need access to it to carry out their work. Define who needs access to what and create an approval system for access to different data types.
In this case it was gift certificates, but internal threats could exploit similar weaknesses for all kinds of businesses. Strengthening your security with additional authentication and monitoring will help keep your company’s data secure.
Originally published at info security.