Recommended Action to Address a Recent E-Commerce Threat: GameStop Case Study

GameStop Data Breach

Research Project 2: Recommended Action to Address a Recent E-Commerce Threat

Table of Contents

Presentation of the E-Commerce Attack………………………………………………..3

Diagram Depicting Mechanism of Data Breach and Exploitation………………………4

Potential or Actual Consequences of the Data Breach………………………………….5

Risk Assessment of the Data Breach……………………………………………………6

Overview of the Proposed Solution……………………………………………………..7

Specifics as to the products, services, policies, procedures………………………………..7

Ancillary considerations related to system integration, business process integration………………………………………………………………………………..8

Assessment of impact on business process efficiency and efficacy……………………..8

Assessment of the degree to which the risk has been reduced…………………………..8

Recommended maintenance procedures…………………………………………………9

Conclusion………………………………………………………………………………9

References……………………………………………………………………………….11

Presentation of the E-Commerce Threat

According to (Business Insider,2018) there were 16 retailers that experienced Data breaches. As of January 2017, data breaches are on the rise, the retailer I will be speaking about is GameStop. On April 2017, GameStop confirmed that it had undergone a data breach. All customers who shopped online or at a GameStop store were vulnerable, since names, addresses, were all stolen in a breach of the website’s payment processor. The vulnerability of the customers went on for a six-month period from August 10, 2016 to February 9, 2017. (Business Insider, 2018).

Majority of data breaches target major companies and retailers. When data breaches occur, it usually seems like the hackers were trying to exploit any type of vulnerabilities in the site and were successful. Earlier this year, not only was GameStop was affected by a data breach, but other companies were affected as well: Forever 21, Sears, Macys, Darden restaurants, Kmart, and others. Data breaches can cause lots of damage and take a long period of time to resolve. The main cause can be hackers; however, it could also be due to the failure of the companies not being able to protect and secure their own data.

The cause of this breach was due to the data from credit card payments made on the GameStop website was being offered for sale on another website. GameStop failed to protect sensitive card information online and, in its stores, which resulted in the credit card and debit card numbers of each customer to be exposed or compromise of financial information of each consumer. Based on information from (Top Class Action, 2018), according to the GameStop class action lawsuit in June 2017, a notification was sent out to the affected consumers notifying them that 1.3 million credit and debit card numbers were compromised, in result to the data breach.

Diagram Depicting the Mechanism of a Data Breach Attack and Exploitation

 The focus of the cybercriminal when causing a data breach is to infiltrate a data source and extract sensitive information. This can be done physically by accessing a computer or network to steal local files or by bypassing network security remotely. There are four steps that the cybercriminal executes in order to have a successful attack: research, attack, network/social attack, and exfiltration. The goal of the attack is to research or identify the weaknesses and loopholes in the company’s security (people, systems, or network). (TrendMicro, 2018). Next, is to make contact by using a network or social attack. For example, planting a virus on the computer system, or sending a text message or email that contains a virus. With a social attack an employee will be tricked and baited into giving out their login information without knowing it, which will then give the cybercriminal complete access to the company’s network. After the social/network attack is fulfilled, and the cybercriminal has full access to get into the computer, they will then try to tunnel their way into the network in order to find and steal confidential and classified data from the organization. Once the data is extracted, the attack is then considered a success.

To fully understand how the Data Breach was able to affect GameStop and the other retailers, one would need to understand the steps that go into planning and executing a data breach. You can think of Data Breach as someone stealing all your financial information and using it for malicious reasons or a bank robbery where someone goes into everyone’s bank accounts and steals all the money in that account. It was believed that a third party reported to the company that the data and all financial information was being compromised and offered for sale online. (Delaware Law, 2018).

(Data Breaches 101: How They Happen, What Gets Stolen, and Where It All Goes. (n.d.). Retrieved from https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/data-breach-101)

                 Potential or Actual Consequences of Data Breach Attacks

The affected e-commerce and retailer sites are some of the most popular amongst consumers. At the time of the attack and even to date none of the attackers have come forward to take responsibility for the attack or took any ownership over the data breach of GameStop, besides GameStop itself. It was identified and noticed that financial information and company data was being infiltrated and extracted from the GameStop website and store. The website was affected by information of consumers being offered online for sale along with the possibility of usernames and passwords of consumer accounts that were most likely generic and simple enough for the attackers to guess and hack into GameStop’s website.

Many of the companies that dealt with a data breach like GameStop were probably vulnerable for a long period of time or several months like GameStop. It was vulnerable for six months due to the data breach its company faced, which probably impacted their production, sales, and customers. Data Breach attacks are becoming more sophisticated and harder to prevent. It’s important to mitigate any risk prior to avoid system vulnerabilities.

                              Risk Assessment of the Data Breach Attack

 Identifying risk is the first step in the risk management process. The first step allows the business to gather together in order to perform an analysis and organize techniques and strategies for mitigation to prevent any possible threats. It ensures that all risks have a response, someone monitoring all responses to help reduce and mitigate the threat. It’s possible to delegate that all responses and reactions to a data breach attack to a company and e-commerce are listed below:

• Risk assessment for data breaches need to be conducted at each of the companies involved, identifying the risk first then completing an impact analysis regarding the risk and then going forward with mitigation of the risks.
• Develop an incident response plan and disaster recovery plan in order to respond to the data breaches in the system and servers.
• Create a post or log within the company the analysis along with the leverage for monitoring and managing e-commerce services.
• Know the ins and outs of the infrastructure components. It’s best to know the equipment on the network and all related resources as well as the strength and weaknesses of the components that need to be monitored.
• Have a clear understanding of options to prevent data breaches along with data breach implementations and mitigation and the rules of data breach attacks on e-commerce sites.

Proposed Solution

 What happened with GameStop isn’t considered the first massive data leak to happen in the past few years, and it won’t be last, as it happened to tons of well-known companies and organizations. However, the use of blockchain technologies will provide a better opportunity for prevention. GameStop could create a website with similar features to that of their original website by building them on a blockchain, therefore creating a decentralized network and website. All data would be on the blockchain, usernames and passwords of each consumer and user would be encrypted and the only the user could unlock the encryption. Thus, preventing private data information from being leaked and compromised. (Forbes, 2018).

Recommended Policies, Products, Services, and Procedures

 If a company were to remain fully centralized, that puts them at a higher risk for data breaches and leaks. Therefore, decentralization through the means of the blockchain, is the future of security and data privacy. Also, investing in some good firewall and antivirus protection, could help protect your servers and networks from being infiltrated from unauthorized users. It’s best to do a wipe down of all servers and computers, by doing routinely scans and backing up data and storing it somewhere safe. Another good procedure would be to write up incident response plans and disaster recovery plans to prepare for data breaches and natural disasters that could cause loss of data. Implementing WIN on each device and computer could be another good product to use, since it is a software product programmed to detect any outside threat to the user’s account and terminate their operations before causing damage to the system. It integrates information from billions of sources, such as data from customers. (Webroot Inc, 2014).

Integration of the system in business

 The system will provide protection on both ends: the user and the receiver. The organization that provides and offers e-commerce services will install their programs into the databases of the store retailers and online retailers. The database will gather the following data from the customer, login information of the individual logging into the e-commerce account, device being used: computer, tablet, cell phone, monitor the security of network and database, the status of the threat prevention software (Webroot Inc, 2014). 

Implementation Procedure

 New and existing consumers that are online shopping will need to update their accounts and change their passwords and usernames occasionally, perhaps, every three months. This is to keep the cybercriminals from being able to hack into user accounts. Retailers should probably be using two-step verification on their websites in order to be safe, when a consumer signs up for a store account only they will receive email and text notifications about account updates. A code will also be sent in order to confirm and verify the account of everyone. This way, no financial information can be compromised or stolen.

Risk of Degree Reduction

 When it comes to threat detection and prevention, perhaps, it best to install CCTV cameras in the store, and install system monitoring software, in order to keep intruders out. Once the software is installed and commissioned on the computer, data will be gathered about who is logged in at what time, what they are using to pay for their games, and the confirmation code will only verify the accounts of the users, that enter the codes into the systems. If someone logs on too many times with a wrong password, an alert will be sent to their emails, to report suspicious activity, or to ask the consumer to verify that it was them that tried to login but forgot their login information. It offers instant protection to all users irrespective of their location on the continent. All data should be backed up and stored somewhere safe, hard copies of everything should also be made, along with using an external hard drive, in case data gets compromised and breached. With this process, only authorized personnel should have access to all this equipment and information. Additionally, users can access 24-hours online customer service to help solve any issue arising from the software usage.

Maintenance Procedure

 Users will not be required to initiate any update on the system as it automatically updates itself through the internet.

Conclusion

 Data breaches have become more common and harder to prevent despite the devices that you use for online shopping. Also, some devices could already be corrupted and come with viruses that could compromise data and no one would know it. Data collected from more than 100,000 e-commerce stores revealed that more than 50 percent of the traffic came from mobile phone users (Lutke, 2014). However, even technology provided by the organization and company could possibly have become more open to security threats because of the high vulnerability of the organization’s web browser in open networks which could be used as an easier attacking platform.  For example, WiFi, it’s better to be safe than sorry, most public WiFi, tend to have more risks of intruders and people hacking into the network, in order to infiltrate into the system and extract data. Availability of many of transactions and sensitive information going through e-commerce open networks attracts many threats. E-commerce creates a major influence on network security protocols that focuses entirely on external threats.

References

• Data Breaches 101: How They Happen, What Gets Stolen, and Where It All Goes. (2018, August 10). Retrieved from https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/data-breach-101
• Layzell, N. 12 Potential Consequences of Data Breaches. (2018, March 29). DataConomy. Retrieved from https://dataconomy.com/2018/03/12-scenarios-of-data-breaches/
• McParland, T. GameStop Agrees to Settle Data Breach. (2018, July 16). Delaware Law Weekly. Retrieved from https://www.law.com/delawarelawweekly/2018/07/16/gamestop-agrees-to-settle-data-breach-class-action/
• Romano, B. (2018, November 09). Security breach at Nordstrom exposed sensitive employee data. Retrieved from https://www.seattletimes.com/business/retail/security-breach-at-nordstrom-exposed-sensitive-employee-data/
• Vines R., & Krutz, R. L. (2007). The CISSP and CAP Prep Guide: Platinum Edition. John Wiley & Sons Incorporated. pgs. 191-192.
• What Can We Do to Solve the Data Breach Problem? (2018, April 20). Forbes. Retrieved from https://www.forbes.com/sites/quora/2018/04/20/what-can-we-do-to-solve-the-data-breach-problem/#917aa2f7feec
• Webroot Inc. (2014). Stop Malware and Web-Based Threats Hassle-free business security.
• Retrieved 11 Dec. 2015, from http://www.webroot.com/gb/en/business/