Starbucks and Neiman Marcus Also Hacked During The Holidays, When Will We Take Security Seriously? - HotHardware
Starbucks and Neiman Marcus Also Hacked During The Holidays, When Will We Take Security Seriously?

Starbucks and Neiman Marcus Also Hacked During The Holidays, When Will We Take Security Seriously?

Over the holidays, popular retailer Target admitted that it had been breached, with data of up to 40 million customers stolen. Weeks later, that number skyrocketed to 110 million. As we can now see, while it was Target that dominated the security headlines this past month, two other incidents seemingly flew under the radar, involving Starbucks and Neiman Marcus.

Between these two incidents, I can't even decide which one is worse - both companies involved should be hugely embarrassed. On the Neiman Marcus side, its servers had been compromised as far back as last July, with the company finally noticing the issue in December. That's right - it took a full five months for the company to recognize this gaping hole. The worst of it is, credit card numbers had been taken and used; this isn't one of those stories where we're talking about what could have happened.

Because of this breach, Neiman Marcus is required to answer 10 sets of questions from Florida's Attorney General Pam Bondi, after which we should learn more about what lacking security measures allowed such a breach to take place. While credit card numbers were apparently lifted over the time the systems were compromised, the company says that birth dates and social security numbers should be safe.

It doesn't seem that Starbucks' flaw led to customer data being compromised, but the issue is no less embarrassing. In effect, due to a flaw in its iOS app, Starbucks stored customer login information in plain text. Something like this wouldn't have been too surprising to learn of more than ten years ago, but in an age where even MD5 hashing is considered not enough, it's outright ridiculous.

Here's what's appalling: Starbucks just issued the update to correct this problem - a problem that we now find out it knew about since last May. Seriously. Starbucks might just be a coffee shop, but if a customer had cash in their account, anyone who gained access to this plain-text password could have enjoyed a Venti triple-shot Caramel Macchiato on their dime.

As I mentioned above, both of these incidents are mind-boggling, and the fact that they were allowed to happen shows the absolute disregard both companies have for their customer's security. For it to take five months for a breach to be discovered is ridiculous, and for a company to take more than half a year to patch a known issue might be just as ridiculous.

Across Target, Neiman Marcus, and Starbucks, that's three fatal flaws discovered in just the past month. When on earth are companies going to begin taking their customer security seriously? It's somewhat understandable if a breach occurs when good security measures are in place, but as evidenced by Neiman Marcus and Starbucks, ineptitude was the reason here, and that's inexcusable.

+ -

Security and super-encryption are the next big frontier. Start-ups and tech companies that pioneer better technologies for this arena are sure to experience explosive growth.

+ -

What happened at Target was stupidity. If they passed a PCi audit they should not in any way shape or form have been keeping CVV codes and PIN numbers (even in an encrypted form). And to not salt hashed (encrypted) data is just as bad., think of this say a PIN # of 1234 encrypts to 'sedrft2h3j358954589uj489ujhu856iobr0i' if its salted that would have a different value for everyone who's PIN # is 1234. unsalted everyone with the same PIN# would have the same value. Makes it easier to guess now doesn't it you only need to get one PIN to have fun.

Login or Register to Comment
Post a Comment
Username:   Password: