Data breaches are a continuing problem for businesses around the country. Just in 2019, a single data breach cost a company, on average, $8.19M. Some of the more notable breaches in 2019 include:
These cases do not include the several thousands of breaches that have occurred over the last decade. With the recent data breach of the SolarWinds Orion platform, we believe similar, if not larger, breaches and costs could be coming down the pipeline. That being said, let's take a look at what we've seen and what we're anticipating in the wake of this new security breach.
In December 2020, security firm FireEye reported a serious breach of their systems and determined that it was the result of a state-backed individual or group of individuals. At the time, FireEye’s continuing investigation seemed innocuous enough and contained within their systems, and the company was saying little to nothing about their findings.
With the potential exposure of thousands of businesses, many companies are wondering where they might stand in light of this revelation, and what they can expect in the future. Here, we’re going to discuss the hack in greater detail and how it may impact retail businesses. This discussion will include some insights into what effects the hack might have on chargebacks and credit fraud.
SolarWinds is an IT management and remote monitoring software provider offering several different products covering network management, database management, managed services, and security. One of their more notable products, the Orion infrastructure management tool was built to provide “powerful, scalable infrastructure monitoring and management... to simplify IT administration for on-premise, hybrid, and SaaS environments”.
According to the Washington Post and other technical and trade publications, the Orion platform was compromised in mid- to late-2020 (possibly as early as March or April).
A hacker group known as “Cozy Bear” with well-known ties to Russian intelligence compromised the update files for Orion systems so that update packages pushed to customer platforms would be infected with malware known as SUNBURST.
As of January 5 2021, the U.S. Intelligence community has officially blamed Russian state-sponsored hackers as the source of the attack. With the inauguration of the Biden administration, there has been increased attention paid to the breach, with the President instructing U.S. Intelligence to investigate the matter fully.
Unique to this particular breach, the attackers did not immediately begin to mine information or destroy systems. Their campaign of stealth was pushed through to minimize exposure and to stay hidden for as long as possible. The malware would wait for as long as 2 weeks before notifying the attackers that it had entered a new user’s system. During that 14-day period, the malware gathered user data and credentials, customer data, and other information existing on the system.
All-in-all, the attack has potentially affected up to 18,000 SolarWinds customers, and the full extent of the damage is not known. More importantly, most security experts claim that the hack is still ongoing, and the malware and the attackers still pose a risk to infected systems, especially those who aren’t aware they’ve been infected.
According to FireEye, SUNBURST is a malware backdoor that was inserted into a program library SolarWinds.Orion.Core.BusinessLayer.dll to allow access to infected Orion systems. The malware lies dormant for 2 weeks after infection, after which it begins to communicate with malicious domains to retrieve commands, transfer files, and manipulate the infected machine.
While the full payload of the malware isn’t completely understood yet, it is known that it disguises its operations as legitimate Orion commands and features. It also uses a system of stolen credentials to perform legitimate operations inside a system, rather than brute-forcing security barriers.
The malware was first discovered by FireEye in their systems having stolen multi-factor authentication credentials.
Currently, the full roster of infected systems is expanding, and many potential victims may not even know they’ve been struck. There are multiple companies that have come forward to protect their users, but there are even more without the proper security or reporting tools to catalog such an attack:
SolarWinds serves a number of customers across multiple industries, including corporations like Comcast, AT&T, and MasterCard. In fact, more than 425 members of the Forbes 500 were using some form of SolarWinds products.
As you might see, many of these companies either work as managed service providers or cybersecurity consultants.
While these companies have either denied infection or have remained silent during their own investigations, it simply signals to the rest of us that we don’t know how far this breach has gone.
There are a couple of approaches here: a more immediate concern and the far-ranging implications.
If you are a customer or user of SolarWinds technology, you have an obligation to secure your systems and, most likely, work with security professionals to identify the extent of your infection and the exposure of company and customer data.
Furthermore, the interconnected nature of an infrastructure attack only increases vulnerability exposure. Microsoft has already reported that SolarWinds binaries were found in their Microsoft 365 environments and have potentially affected 40 of their own customers.
While there are no guarantees right now, and no one wants to speak out of turn for fear of inciting panic, there are several potential outcomes that could impact retailers and the payments industry:
Retailers are going to protect themselves by investing in Chargeback Prevention and Recovery as a key part of their business strategy. Not only will this approach help mitigate chargebacks, but it will help customers who have become victims themselves.
The SolarWinds hack is the defining event for cybersecurity in the new decade, one that will shape how businesses and public institutions frame their security and data agendas. Merchants in the U.S. will likely see more indirect fallout from them even through credit fraud and subsequent chargebacks.
Best practices for chargeback prevention are still effective parts of your business strategy. Protect your reputation with strong fraud protection and ensure that customers suffering from credit card fraud get prompt support. At the same time, refocus on your security and representment priorities on preventative measures.
Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com.