Newegg Data Breach Lands Credit Card Data, Proves Surprisingly Familiar

September 24, 2018         By: Steven Anderson

Data breaches are no longer a matter of if, but rather when, a point proved once more by a recent breach at upscale electronics retailer Newegg. This particular breach landed credit card data, a point that would be bad enough for any business to endure, but worse, the breach came from a familiar method, having only recently been used against both Ticketmaster and British Airways.

The attack in question featured an injection of malware from a group known as Magecart. The malware added malicious JavaScript to Newegg’s page, causing credit card information to be skimmed and sent to a separately-registered domain known as Neweggstats.com. That’s the word from RiskIQ security researchers, who noted that the same kind of attack had hit the two firms noted previously.

Since Neweggstats.com was registered back on August 16, according to word from Volexity, it’s a safe bet that anyone who used a credit card with Newegg in the time between August 16 and now could be affected by the hit.

Naturally, it’s the response to such data breaches that really matters, and Newegg’s so far should prove as satisfactory a response as can be had. It’s removed the malware infection, which should open up the potential for new sales, and the company will also be contacting customers whose data may have been stolen this week. Hopefully, the “contacting customers” bit will include free data protection systems and profuse apologies.

All this does is underscore how important it is to encrypt data. Most companies rely on perimeter defense to stop hackers before they can even get in. We’ve seen how well that works so far, so why aren’t more companies encrypting data to make any stolen data mostly useless? Encryption today is up to 256-bit; a brute-force attack to break that, even assuming massive computing resources, would take longer than the average human lives. It’s not the only potential protection—tokenization is a common protective measure in mobile payments—but it’s certainly one to consider.

Regardless of which protective measure is used, in the end, protective measures must be taken if online shopping and mobile payments will continue to be possible. Newegg seems to be taking the right steps to control a post-breach market, but everyone else needs to learn from this example.