The Staples Data Breach: Why “Low Impact” Breaches Still Cause Serious Damage
The Staples Data Breach gives us to discuss the common discourse around “low-impact” security breaches. While sensitive data is of course more dangerous if exposed or stolen, all personally identifiable information (PII) can cause serious damage in the wrong hands.
Here are the facts. Office retail giant Staples disclosed a data breach compromise some customer’s order information. According to a disclosure from the company, the data appears limited to “non-sensitive” customer data. This includes names, addresses, email addresses, phone numbers, last four credit card digits, and details about the order. The exact scale of the data breach, and the identity of the hackers, remains unknown at this time.
On the surface, this appears so minor a breach it barely seems worth mentioning. However, cybersecurity experts do not shrug off the Staples Data Breach as just another example of hackers being hackers. Instead, they have used it as an opportunity to discuss why even a minor data breach can devastate businesses and customers alike.
Widget not in any sidebars
The Staples Data Breach: The Experts Respond
Laurence Pitt
Laurence Pitt is the Technical Security Lead at Juniper Networks.
“Many people will see this as a relief that ‘only names, email addresses and phone numbers’ were shared – their credit cards are safe and their transactions remain a secret. However, this is not the case. These pieces of PII still have value on the black market and can be used in order to gain access to other, and perhaps more sensitive, information. The combination of ‘email address and telephone number,’ for example, would be a great start for anyone attempting takeover attacks on personal data.”
“It’s about time that we stopped ranking personal data theft on perceived severity. Any breach in which personal data is stolen needs to be treated as highly serious and punishable. Then, maybe people will be more careful about what databases are left around for people to find.”
Saryu Nayyar
Saryu Nayyar is CEO at Gurucul.
“While the Staples breach appears to be ‘low impact’ in that no sensitive customer information was released, even supposedly non-sensitive information can be leveraged by a savvy attacker. Knowing what a person or business has ordered, and when, can be just the hook a threat actor needs to formulate an effective phishing email or another social engineering attack. In this day and age, there is very little information that can’t be leveraged in some way for nefarious purposes.”
Chloé Messdaghi
Chloé Messdaghi is VP of Strategy at Point3 Security.
“For Staples to say that customer order data is non-sensitive is ridiculous. Any social engineer attacker can use that type of data for a phone phishing campaign like this: ‘When you bought (name of purchased product) under xxxxxxxxxxxx confirmation number, we seem to have overcharged you. Can you please provide your full details of the credit card on file with the xxxx last four digits, so I can get that refund for you?’”
“We don’t know how the breach happened but we do know that this is the exact kind of data that can be used maliciously.”
Final Thoughts
A groundbreaking study from Ping Identity found that 81 percent of consumers would stop engaging with a brand online after a data breach. To customers, it doesn’t matter the “sensitivity” of the data stolen; instead, it comes down to trust. Keep this in mind before dismissing minor breaches.
You can learn more in our SIEM Buyer’s Guide.
Widget not in any sidebars