facebook noscript

Renewed Data Security Threats for the 2019 Holiday Season: How Businesses Can Prepare

November 12, 2019

Consumer data breaches are a dime a dozen these days, with massive, highly-public cyberattacks hitting our newsfeeds on a nearly weekly basis.

From social security numbers and credit card numbers to other types of sensitive data, it seems like several popular global corporations have failed to keep their customers’ sensitive personal information safe time after time.

And, unfortunately, earlier this month it was confirmed that enterprise-scale cybercriminals are successfully executing newer, sneakier, and increasingly dangerous cyberattacks that are becoming increasingly difficult to detect.

With the holiday season right around the corner, this news isn’t great - especially since we’re all getting ready to experience another yearly upswing in retail activity. The more buyers swipe, insert, click and tap our payment cards, the more chances there are for cardholder data to be stolen.

And with increasingly difficult-to-detect cyberattack technology lurking around, forward-thinking businesses should have already started thinking about how they’ll be ensuring a secure holiday shopping experience for their customers.

The good news is that there are additional steps that businesses can take to safeguard their shoppers’ cardholder data, including new and innovative data aliasing technology that goes beyond encryption and tokenization to keep sensitive data away from company networks entirely.

But first, let’s walk through this reinvigorated cyber threat and what it means for businesses this year.

An Advanced Global Hacking Enterprise, Now Making a Resurgence

Even though there are expert cybersecurity research firms working tirelessly to pinpoint the new techniques hackers are using to steal sensitive data, things are bound to slip through the cracks.

Unfortunately, that’s just what happened.

Earlier this month, cybersecurity company FireEye dropped a bombshell: one of the most notorious and well-organized hacking groups in the world has been advancing and improving their attack techniques more than previously thought.

The worst part of this story: this is not your average hacking collective.

FIN7: Always One Step Ahead

The cybercrime organization, called FIN7, has successfully nabbed more than one billion dollars from businesses all around the globe since they opened up shop - including several high-profile brands and widely-publicized data breaches you may have already heard about.

Remember the Saks Fifth Avenue data breach? What about the Chipotle data leak disaster? From Jason’s Deli and Whole Foods to a whole host of other massive companies, FIN7 has left their fingerprints everywhere.

They’ve also gotten away with a ton of financial information, like consumer cardholder data.

FIN7 quietly steals credit card data from retail point-of-sale (POS) terminals, among other sources, and then turns around to profit from the stolen data from buyers on the dark web.

The criminal organization is noticeably well-organized and professional, working on an enterprise scale to craft their own hacking techniques that are uniquely difficult to detect. Not only do they have their own research and development department designing cutting-edge phishing and ransomware attack techniques, they also have members designing tailor-made social engineering to more easily manipulate their targets.

As advanced as any well-funded tech startup in Silicon Valley, FIN7 has been developing their own malware tools and attack styles with a capable and innovative testing division.

Most hackers buy generic malware found on the dark web, which means that large-scale organizations can manage these sorts of attacks already with their current anti-virus software. The exclusive malware developed by FIN7, on the other hand, isn’t familiar to anti-virus software - rendering it severely insufficient.

This has enabled them to craft malware that can harvest sensitive customer data, like credit card information, while evading detection by antivirus scanners and law enforcement in general.

They’ve been able to avoid getting caught entirely - until last year, that is.

Finally, in August 2018, the US Justice Department announced that three individual members of FIN7 had been arrested and charged.

Since those arrests, the cybercriminal organization’s activities slowed down.
But, because of the decentralized and borderless nature of FIN7’s operations, it was - of course - only a matter of time until they would be able to recover.

And, unfortunately, evidence of their resurgence just made headlines.

Protecting Your Cardholder Data Environment (CDE) During the Holidays

According to FireEye, a previously undiscovered malware tool was just found - called “RDFSNIFFER.” The discovery of this advanced evasion technique has two implications: the group has clearly recovered and expanded their innovative malware arsenal, and businesses should be concerned for the impending holiday shopping season.

Not just retailers, either - hospitality groups, financial institutions and consumers themselves are at risk. With this return to malicious hacking activity, any business that uses POS terminals should stay vigilant.

FIN7’s well-resourced R&D arm makes it so that standard tick-the-box data security policies possibly won’t be secure enough.

Even after security teams design and execute company-wide cybersecurity training on preventing phishing attacks, businesses can still find themselves doing damage control after a humiliating data breach.

So, what can businesses do to help minimize these data security risks and prevent a data security embarrassment like this?

With increasingly sophisticated phishing tactics, there only needs to be a single weak link in your organization to compromise all your data protection measures - and leave the cardholder data stored on your network vulnerable.

But what if that sensitive data in your systems didn’t exist? What if you could use and benefit from customer credit card information without ever having to store it on your network?

Fortunately, with next-generation data aliasing technology by VGS, this is actually possible.

How to Secure Your Business’ Sensitive Data

Several successful businesses have already implemented VGS solutions, empowering them to work with sensitive personal data without having to possess it themselves. It’s a data security approach that VGS calls Zero Data - and it lives up to its name.

Zero Data enables companies to collect, store and transfer information like cardholder data without having it touch their systems at all. It’s exactly like they have the original, raw data, but without any ownership.

This innovative approach severely reduces an organization’s cardholder data environment (CDE), which represents all locations where cardholder data can be found. By minimizing where critical data like this resides, hackers like FIN7 have much less of a chance to swipe it.

Not only do Zero Data solutions help prevent data breaches, they also enable businesses to fast track their compliance certificates, like PCI DSS, GDPR or CCPA, for example. In some cases, companies instantly “inherit” data privacy compliance certificates - greatly reducing the amount of resources that need to go toward becoming and remaining compliant.

By leveraging VGS Zero Data software products, businesses can get ahead of the complex threat landscape this holiday season and start focusing on what really counts: generating a holiday season revenue surge.

Try a free demo of VGS for your business by clicking here.

Ena Kadribasic Ena Kadribasic


You Might also be interested in...


Data Security Solutions for Fintech Startups

Stefan Slattery November 13, 2019


Data Compliance: How Modern Businesses Can/Should Approach Data Security | Very Good Security

Stefan Slattery November 6, 2019


Zero Data Hero Customer Spotlight - MoonPay

Stefan Slattery November 5, 2019