Web-based printing company Shutterfly has warned employees and former employees that their data may have been compromised. The breach was discovered on March 20 although the company is not saying how.
The company disclosed the breach in a filing with the Office of the Attorney General for California. It says that: “On March 20, 2018, we learned that a Shutterfly employee’s credentials were used without authorization to access our Workday test environment on January 11, 2018. We do not yet know if unauthorized access occurred at other times.
“This test environment is used by a limited number of employees to develop, test and preview Workday functionality before it goes live. As soon as we were made aware, our security team promptly implemented additional security measures. We do not believe that the security of the Workday service was compromised.”
What data was accessed?
The company says that the data that could have been accessed includes: “..name, social security number, date of birth, and work email; any passport number, state ID (including driver’s license), bank account and routing numbers, pay stub information, or personal email that was on file in Workday; and the names, dates of birth, and social security numbers of any beneficiaries and/or dependents that were on file in Workday.”
Despite this treasure trove of data being accessed, Shutterfly claims that it has no evidence that any confidential information was taken. If it is right, then it has been very lucky. However, the notification raises a number of questions about data practices and potential reuse of employee credentials across multiple systems.
It is not unusual for organisations to use live data in test systems. The reason it is done is to ensure that testing is against real-world representative data. However, there are drawbacks to this. If you only test against what you know you don’t detect system failure when people enter malformed data into fields.
The other question here is why was an employee not using separate credentials on the test data? The majority of successful credential breaches occur due to reused security credentials. Had the company required employees to use alternative credentials for the test system then the likelihood is that this breach would not have occurred. But that raises another, unanswered question. Were the credentials used elsewhere? At the moment, Shutterfly is implying no but until the investigation is completed, questions will remain.
What is Shutterfly doing?
Shutterfly is carrying out its own internal investigation and is working with an outside forensic firm. They will want to know much more about what was accessed and when before making another statement. At that point they can begin to advise staff on risk and what comes next.
For now, they are providing current and former employees with instructions on how to enrol with Experian’s IdentityWorks. There is a free code that will be sent to them but they MUST sign up by June 30, 2018.
What does this mean?
Another day, another breach. However, unlike most companies that seem to faff around and lose time, Shutterfly has made all the right moves. Details have been provided to the authorities, a forensic firm engaged and letters sent to those potentially affected. Some may question the delay between the breach and the discovery but the timescale here is still pretty short.
According to William Tsing, Malware Analyst, Malwarebytes: “Unauthorized use of employee credentials on a secondary network is often due to said employee reusing a work credential on a third-party site that gets breached. The other scenario is a simple phish masquerading as a corporate resource. Curbing the first behavior is almost impossible, so solutions generally include not using simple credential pairs for authentication to begin with.
“Companies with success against credential reuse tend to use a third identifier, or two-factor, or both. Success against the second scenario comes from better email blocking at the perimeter, and to a lesser extent, crafting corporate communications such that they don’t look like phishes, or including identifying flags known only to employees.
“The old answer to these threats of user education and not much else is no longer sufficient. A modern, active defense should include better systems design, as outlined in the examples above.”