Why the reseller ISS hack justifies third-party risk assessments

A security breach at Information Systems & Suppliers that exposed restaurant customers' credit card data illustrates why companies should consider third-party risk assessments, an expert says.

ISS, a reseller of Future POS electronic cash registers, notified restaurants in a June 12 letter that its LogMeIn account, which is used for remote access of customer systems, had been breached.

[Six ways to prevent a breach like the one at AT&T]

As a result, credit card data gathered from diners between Feb. 28 and April 18 could have been exposed, Thomas Potter, president of ISS, said.

"We regret this happened, are sorry for any difficulties it may cause, and have taken additional action to protect this from happening again," Potter said.

ISS did not say how many restaurants or credit card accounts were at risk. The company did not respond to a request for comment Wednesday.

The ISS compromise demonstrates why every organization with sensitive data should consider a third-party risk assessment to identify where data can be indirectly accessed, Al Pascual, a financial fraud and security analyst at Javelin Strategy & Research, said.

"Once these relationships have been identified, the organization should subsequently engage third-parties to establish the level of risk to their data based on the third-party's security capabilities," Pascual said.

Even the most secure organization could still face substantial risk if a supplier, vendor or other party fails in hardening their respective systems, he said.

ISS learned that its LogMeIn credentials had been compromised from the service provider. The point-of-sale (POS) system reseller then changed the credentials and added a second unique password to "guard against further malicious activity," Potter said.

If the company did not use two-factor authentication with LogMeIn before the breach, then it had made a big mistake, Pascual said.

"If a business utilizes remote-access without a minimum of two-factor authentication, then that business is simply asking to be compromised," Pascual said. "It is just a matter of time until someone walks through the backdoor and takes what they want."

[Orange warns of phishing attacks after data breach]

Indeed, hackers often launch email phishing attacks against a company's employees in order to steal credentials to business accounts. In its 2014 security report, Trustwave found that 6 percent of computer breaches were through phishing attacks.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationscredit card securitydata breach notificationsoftwarelogmeinSecurity Leadershipdata protectionRemote Access toolsJavelin Strategy and Researchtrustwavesecurityat&tdata breach

More about ISS GroupJavelinLogMeInLogMeInOrangeTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anton Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place