Why the reseller ISS hack justifies third-party risk assessments

A risk assessment might have uncovered Information Systems & Suppliers' security weakness

Data Security

A security breach at Information Systems & Suppliers that exposed restaurant customers' credit card data illustrates why companies should consider third-party risk assessments, an expert says.

ISS, a reseller of Future POS electronic cash registers, notified restaurants in a June 12 letter that its LogMeIn account, which is used for remote access of customer systems, had been breached.

[Six ways to prevent a breach like the one at AT&T]

As a result, credit card data gathered from diners between Feb. 28 and April 18 could have been exposed, Thomas Potter, president of ISS, said.

"We regret this happened, are sorry for any difficulties it may cause, and have taken additional action to protect this from happening again," Potter said.

ISS did not say how many restaurants or credit card accounts were at risk. The company did not respond to a request for comment Wednesday.

The ISS compromise demonstrates why every organization with sensitive data should consider a third-party risk assessment to identify where data can be indirectly accessed, Al Pascual, a financial fraud and security analyst at Javelin Strategy & Research, said.

"Once these relationships have been identified, the organization should subsequently engage third-parties to establish the level of risk to their data based on the third-party’s security capabilities," Pascual said.

Even the most secure organization could still face substantial risk if a supplier, vendor or other party fails in hardening their respective systems, he said.

ISS learned that its LogMeIn credentials had been compromised from the service provider. The point-of-sale (POS) system reseller then changed the credentials and added a second unique password to "guard against further malicious activity," Potter said.

If the company did not use two-factor authentication with LogMeIn before the breach, then it had made a big mistake, Pascual said.

"If a business utilizes remote-access without a minimum of two-factor authentication, then that business is simply asking to be compromised," Pascual said. "It is just a matter of time until someone walks through the backdoor and takes what they want."

[Orange warns of phishing attacks after data breach]

Indeed, hackers often launch email phishing attacks against a company's employees in order to steal credentials to business accounts. In its 2014 security report, Trustwave found that 6 percent of computer breaches were through phishing attacks.

Copyright © 2014 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022