4. HOW HACKERS GOT IN
Forensic investigation found
no evidence of breach.
Discovered a third party
website licensed to sell
vendor’s event tickets was
actually the organization
compromised.
5. HOW HACKERS GOT IN
Third party had to pay noncompliance
and compromise fines.
Ecommerce events vendor subject to
brand degradation and the cost of the
forensic investigation ordered by Visa
($25,000).
6. HOW HACKERS GOT IN
Since forensic investigation of third
party was done by another forensic
company, it is unknown exactly how
hackers breached the third party.
Similar situations indicate the
possibility of SQL injection.
7. WHAT IS SQL INJECTION
By feeding information into web
forms that aren’t coded to
reject illegitimate characters,
attackers can glean little pieces
of information about a business
database based on output from
erroneous entries.
8. WHAT IS SQL INJECTION
If hackers can gain enough
information about a database, it’s
only a matter of time until they
query it directly and gain
administrative access.
9. WHAT THE BUSINESS DID WRONG
Ecommerce events vendor
didn’t perform due diligence to
ensure licensed third party was
operating a secure site.
10. WHAT IS 3RD PARTY DUE DILIGENCE?
It is each organization’s
responsibility to take reasonable
steps to ensure contracted third
parties operate securely.
This means investigating IT
vendors, paper shredding
companies, and outsourced web
developers before signing contracts
and throughout the relationship.