Security Blog

Log, log, on the wall, who is the smartest burglar of them all?

An Italian food Marketplace at NYC acknowledged on June 5th that they had suffered a security breach. If you have purchased something at the finest grocery store Eataly Marketplace in NYC between January 16th and April 2nd 2015 (Official Eataly acknowledgement can be found here), you might want to check your bank account for some “unwanted” money transfers.

After forensic analysis, the Italian food company founded by Oscar Farinetti found out it was struck by a malware installed in their Marketplace payment system, which was capturing payment details and cardholder data… yes, CVVs included.

It is quite possible that Eataly has been 100% compliant with PCI-DSS standard and I am pretty sure this was the case. Most probably the reason behind such a breach lays on some bad individual(s) who managed to compromise the payment system, while it was left unattended for a few moments, but who knows? Only time will answer that and the appointed courts will take care of the bad guy(s).

What is important to note is that the breach was identified. “How?” You may ask. They have for sure implemented centralized system logs, FIM, and other proper auditing and alerting measures. But wait, if they had implemented all of this, such as prompt alerting, then installing a malware in a point-of-sale system should trigger a lot of alarms, unless… mmm… not too hard to divine what the answer may be…

Divide et Impera

…Perhaps the guy(s) that operated the point of sale system and the guy(s) that worked at their security operating center were sleeping or in cahoots with the bad guy(s)…

Of course, these are just hypotheses and I am not pointing a finger at anyone and I am just playing with purely IMAGINARY digital detective thoughts. What is important to stress here is that you are always at risk! It is important to differentiate administration tasks, so that whoever is responsible for the logs is not also responsible for the POS system and so on, because Role Based Access Control is good. But what if a person has a lot of roles?

Remember to always conduct thorough due diligence and background checks on who you are hiring or buying services from.

You will never know which detail will show the demons, but be sure, sooner or later they will visit you.

Anyhow, relax, there are also good guys ready to help you and the good news is that you will know when they will visit you 😉

Stay secure.

  • 24 Solutions AB
  • Smedjegatan 2C
  • SE-13154 Nacka, Sweden
  • +46 (0)8 535 24 100