Virtual thieves have struck again! As Congress and the major credit card companies race to come up with new, more secure credit card payment solutions, the world-famous jelly and jam maker, Smucker’s, has seen its own infrastructure jammed up, shutting its online store last week amidst the need to rebuild after a security breach jeopardized sensitive credit card data.
Research indicates that the company was only one of several dozen other companies that were hacked in 2013, including Adobe, LexisNexis, Dun & Bradstreet, and others. The latest information about the hit is that the malware in question acts like a banking Trojan, except that rather than targeting a PC, it targets web applications. This makes it potentially even more dangerous, as it won’t be restricted to a single operating system or set of operating systems, but could hit you at any computer that accesses the Web, be it a Windows PC, a Mac, or a Google Chromebox. Even tablets and mobile devices may be vulnerable.
This particular malware, much like other Trojans, tears data from visitor-submitted forms such as names, addresses, phone numbers, credit card numbers, and card verification code, as customers submit data during checkout. This hammers home the idea that security when it comes to credit card payment solutions goes two ways—if either the end user or the company is compromised, the malware can slip in. Both ends need to be secure for any sort of encryption to work. In this case, the issue was that Smucker’s and the other targeted vendors were running outdated (and thus vulnerable) versions of Adobe’s ColdFusion web application.
There is an important and yet very costly lesson to be learned here, which is particularly important to small businesses: if a giant like Smucker’s can be hit, so can you. Never take the cheap route out when it comes to security by running an outmoded, outdated, and vulnerable security package. Make sure that whatever credit card payment solutions you use, that they are of the latest version with up-to-date security standards at both the end-user point and the processing point. This is the only way you can protect your customers’ sensitive data from the legions of hackers just waiting to suck up their personal data for unscrupulous use.