In a recent incident, Checkout.com, a payment processing service, faced a data breach attributed to the hacking group known as ShinyHunters, which exploited vulnerabilities in a legacy third-party cloud storage system. This breach reportedly affected less than 25% of the company’s current merchant base, as stated by Mariano Albera, the Chief Technology Officer of Checkout.com. Fortunately, the live payment platform and payment card data remained untouched, as the compromised system had been inactive since 2020, primarily housing internal operational documents and merchant onboarding materials.
The hackers issued a ransom demand after exfiltrating data, threatening to release the stolen information on the dark web if their demands were not met. Remarkably, Checkout.com opted for transparency, publicly acknowledging the breach and unexpectedly issuing a sincere apology. Their statement, “This was our mistake, and we take full responsibility. We are sorry,” stands in stark contrast to the often inaccessible language typically used in such communications. Such accountability can significantly enhance trust and is a refreshing deviation from the usual protective statements companies often provide.
Furthermore, Checkout.com went beyond conventional corporate responses, declaring their refusal to cooperate with criminal demands. They announced their intention to donate the equivalent of the ransom amount to Carnegie Mellon University and the University of Oxford Security Center to bolster research against cybercrime. This decisive stance highlights a proactive approach not only to their own security measures but also in contributing to broader cybersecurity initiatives.
While Checkout.com’s handling of the incident has garnered praise, it is critical to recognize that this public communication does not mitigate the underlying security breach itself. The compromise stemmed from a legacy system that had seemingly been neglected, underscoring the risks inherent in outdated technology. Legacy systems often remain unmonitored and unpatched, which can lead to serious vulnerabilities if not properly decommissioned.
Companies can move toward preventing such incidents by proactively identifying potential security vulnerabilities before they become actionable threats. Security teams are encouraged to conduct thorough pre-mortem exercises to scrutinize forgotten systems, ascertain which legacy platforms still have valid credentials, and evaluate the data residing in systems outside active security monitoring. By adopting a more vigilant and proactive stance toward data security, organizations can mitigate the potential risks and avoid facing the regret of needing to issue an apology after a breach.
This incident underlines the importance of integrating proactive cybersecurity measures into an organization’s operational framework. Leveraging the MITRE ATT&CK framework can assist in understanding potential adversary tactics including initial access, persistence, and privilege escalation, which may have been applied by the attackers. By assessing these tactics and preemptively addressing vulnerabilities, organizations can fortify their defenses against future breaches.
