Are retailers vulnerable to hacks from within?

Are retailers vulnerable to hacks from within?

Columbia Sportswear has filed suit against a former employee, alleging he hacked into the company’s e-mail system for more than two years so that he could gain access to information that would help his new employer land additional work.

Michael Leeper, according to the suit, gained access to the e-mails of senior executives and IT staff at Columbia, through a backdoor he created before leaving the company for Denali Advanced Integration. Mr. Leeper allegedly hacked into Columbia’s system nearly 700 times in total, acts that would put him and Denali in violation of the Computer Fraud and Abuse Act.

Columbia is said to have discovered a fake account while upgrading its e-mail system last summer that it alleges was set up by Mr. Leeper. At the time, Columbia alerted the FBI while also conducting an internal investigation.

Denali, which has also been named in the suit, issued a statement pledging its cooperation in the investigation and announcing that Mr. Leeper has been placed on leave from the company. “These claims astonish us, and they in no way reflect Denali or its values,” said the firm’s CEO Majdi Daher.

Corporate hacking, as a report by The Oregonian points out, has become a huge business with a cost of $445 billion to the global economy in 2016.

BrainTrust

"Hacks from within are simply another form of theft."

Lyle Bunn (Ph.D. Hon)

Strategy Architect – Digital Place-based Media


"Take advantage of this and test your systems. Get your smartest people and create some hack teams."

Tom Redd

Global Vice President, Strategic Communications, SAP Global Retail Business Unit


""

Adrian Weidmann

Managing Director, StoreStream Metrics, LLC


Discussion Questions

DISCUSSION QUESTIONS: Do you think hacking conducted by employees is more prevalent than generally assumed? Do retailers have enough safeguards in place to protect systems from internal threats? What lessons can others learn from the Columbia Sportswear case?

Poll

8 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
David Livingston
7 years ago

Sometimes it’s a matter of one-upsmanship. Mid-level employees want to prove they are as smart as top management. Believe me, top management is reading people’s emails. The mid-level people are looking for a little payback. A system I used to be on could have an email for each phone extension. One bright fellow created an email account using the emergency phone from the elevator. As long as top management relies on lower-level people for IT support, there are no safeguards. Most top executives are smart enough not to discuss sensitive information using email. Still, from the last election we learned that is not always the case. Something as minor as being able to hack into the company plane’s schedule and passenger list can tip off people to a possible acquisition.

HY Louis
Reply to  David Livingston
7 years ago

Revenge is a dish best eaten cold.

Lyle Bunn (Ph.D. Hon)
Lyle Bunn (Ph.D. Hon)
7 years ago

Hacks from within are simply another form of theft. As the enterprise develops and uses information assets as a primary activity this is perhaps the most harmful of actions, meriting safeguarding and an increase in diligence.

Anna Tolmach
7 years ago

I would argue that the biggest threats are still external. The majority of hacks look like an internal email — for example, one that asks employees to update their insurance info. The employee then clicks on the email which gives the hacker access to the entire system. It’s very hard to tell as an individual and hard to catch as a company without educating employees on what to look for. This is a big threat not just for retailers but for all companies. Internal hacks do happen but Target, Home Depot and many others prove these are the exception.

Tom Redd
Tom Redd
7 years ago

I would not doubt that hacks from inside are a common thing. Take advantage of this and test your systems. Get your smartest people and create some hack teams. One tries to hack from the outside and another tries from the inside and one tries to prevent them both from succeeding. Have prizes, provide the right gear and tools and create ways to apply more security after the end of the challenge.

gordon arnold
gordon arnold
7 years ago

The greatest threat to corporate and government IT system security is and will remain internal. It is important to understand that third party development and support individuals and companies must be considered employees since they communicate from within ownership’s infrastructure. The competition and enemies of ownership will pay for the information they need to get inside information. Disgruntled and/or greedy employees that are many times guilty of overconfidence will play to get paid.

The present day systems are built to and do an outstanding job of keeping people out. It would be far more prudent to design and build information systems like a jail for the strict purpose of keeping information in and only in the owner’s system. The use of tightly controlled terminal mode in place of the very leaky thin clients is a good place to begin exploration.

There are many limitations to communication that are exploitable within this design method and range as well. Companies and government agencies that are heavily invested in cloud computing will react stubbornly to these and other options. But they have far less than the consumer and/or citizen to lose. The first step for change is not need or knowledge– it is willingness.

Dan Frechtling
7 years ago

The largest loopholes that enable data breaches do indeed come from within. Willingly or unwillingly, employees create weaknesses. These come in two forms:

1. Subversive. As described in the Columbia example above, today’s go-getter can become tomorrow’s ruthless ex-employee furthering a career at a competitor. Unmonitored logins create unlocked doors. Even if email and account access is terminated immediately with the employee, a cunning job seeker may have snatched portable trade secrets before tendering his/her resignation.

2. Suckers. Employees have always ignored security protocols. More protocols beget more lapses that fraudsters exploit. Further, the fortress headquarters can’t be locked down as it once was. The twin movements of BYOD (bring-your-own-device) and telecommuting have made for a target-rich environment for cybercriminals with BEC (business email compromise) being a chief threat.

What’s true in espionage is unfortunately also true in apparel. Expect more tools to make their way into private sector attacks — the spoils are too large to ignore.

Ricardo Belmar
Active Member
7 years ago

I suspect hacks from the outside are more prevalent, but those from the inside have the potential to be more dangerous. So much attention and focus has been placed on external threats in recent years, I doubt retailers have established enough security to protect themselves, but then again, have enterprises in other industries done any better?