eCommerce is an extremely vulnerable industry when it comes to cybersecurity. Unfortunately, the number of hacks gets bigger every year, jeopardizing hundreds of thousands of online stores and millions of customers. The consequences of data breaches are terrible, revenue and traffic losses, lawsuits, reputational damage, etc.
The next sad thing is that every eCommerce solution doesn’t provide 100% protection against cybercrimes, both cloud, and self-hosted ones. You need to be on top of all security patches updates and trends despite the platform you’re using. To prove that, we’re going to take a look at some relatively recent cases of cybersecurity issues among the leading eCommerce platforms.
Salesforce
Providers of cloud solutions consider their products to be the most secure ones. However, as I said before, no system is 100% safe. One of the most hyped cloud solutions for eCommerce Salesforce faced numerous data breach lawsuits. In 2020, the company faced both CCPA and GDPR lawsuits.
Salesforce/Hanna Andersson Lawsuit
The lawsuit against Hanna Andersson, a seller of child apparel, and its supporting platform, Salesforce, was one of the first to cite the California Consumer Privacy Act. In Autumn 2019, a malware on Salesforce Commerce Cloud led to a breach of personal data to the darknet. Comprised data included customer names, billing and shipping addresses, payment card numbers, CVV codes, and credit card expiration dates.
The data was vulnerable from Sept. 16, 2019, through Nov. 11, 2019. However, the online store and Salesforce confirmed this fact only in December, which raised questions. Why did it take so long to discover the breach?
The lawsuit estimates about 10.000 Californian residents affected by this data breach. CCPA allows for recovery of damages up to 750 $ per consumer, which results in millions of dollars losses for defendants.
European Privacy Group Lawsuit
In August 2020, a European privacy group in the Netherlands announced that they were pursuing a lawsuit against Salesforce and Oracle for violation of the General Data Protection Regulation. The group estimated damages of more than $11,9 billion.
The Privacy Collective claims that Oracle and Salesforce use cookies to collect personal information from individual Dutch users to create shadow profiles without their consent. According to the GDPR, all companies must ask the permission of EU citizens to use their personal information.
Both companies disagree with the prosecution. Oracle claims that the company has no direct role in the real-time bidding process (RTB), has a minimal data footprint in the EU, and has a comprehensive GDPR compliance program.
Salesforce’s Heroku Hosts Magecart Skimmers
In 2019, hackers took advantage of Heroku’s Freemium model, which allowed them to use the platform as a free web host for their skimming operations after signing up for a free account. With the help of Heroku, skimmers were creating fake iframes displayed by a malicious web application above payment forms. They were identical to the original ones and were collecting credit card information from customers without their knowledge and without red flags.
Salesforce Corrupted Client’s Data
During the Marketing Cloud release, between June 4, 2018, and July 7, Salesforce introduced a change in the code that could have caused REST API calls to retrieve or write data from one customer account to another inadvertently. However, the company claimed that they didn’t know if any data was viewed or modified by other customers.
Shopify
Despite the fact that Shopify has nice security, no system is safe against internal hacks. In September 2020, two Shopify employees stole data from at least 100 merchants. After the accident, the company terminated both employees from the support team.
Two rogues have stolen:
- Names
- Postal Addresses
- Phone Numbers
- Full Payment Card Details
Frauds were collecting data using Shopify Orders API, which lets merchants process all orders on accounts of their customers. The investigation continues, and Shopify will provide more new details regarding this conflict over time.
General Cyber Threats
We should also say some words about Magecart, the most talked-about cyberattack group, as it terrorizes all popular eCommerce solutions like BigCommerce, Shopify, Magento | Adobe Commerce, etc. Magecart is a global consortium of several separate cybercriminal groups that are behind the biggest and devastating cyberattacks of the past few years.
Pipka
Recently, cybersecurity specialists from Visa discovered a new JavaScript skimmer, which infects checkout pages to steal customers’ sensitive payment card information. “Pipka” skimmer removes itself from the HTML code of compromised pages, which makes it hard to detect by cybersecurity systems. This feature marks the evolution of JavaScript skimming technologies, which is sad for all online merchants regardless of their eCommerce platforms.
Moreover, Visa specialists discovered that Magecart compromises creative ad script tags to leverage digital ad networks to generate traffic to skimmers on thousands of sites. Magecart makes up 17% of all malicious advertisements.
TokeLogin
One JS-sniffer campaign, known as TokenLogin, was detected on sites that work with platforms including Magento | Adobe Commerce, Shopify, and Bigcommerce. The tool, which appears to have emerged in March and April of 2016, aims to avoid detection from manual security checks, and then to automatically reinfect a target if it’s removed.
Supply Chain Attacks
Supply chain targets may include everything starting from chatbots to web analytics software. Hackers attack advertising services and inject skimming code. Then, they load the compromised JavaScript library to eCommerce websites. When a customer keys in payment data, the skimmer sends it to a remote server.
In 2018, Magecart stole personal data of 40,000 customers on Ticketmaster.com this way. A group of hackers exploited a third-party script from Inbenta, a chatbot that was providing support on the website. The compromised data included names, addresses, email addresses, telephone numbers, payment details, and login details.
Final Words
Hackers are constantly developing their technologies. Even the best eCommerce solutions can’t provide online retailers with 100% protection against cyber attacks. You need to follow the latest cybersecurity trends and update your security patches.
Mobecls team also reminds all Magento 1 merchants to migrate their online stores to Magento 2 as it provides better security. Since Magento end of life, Magento 1 doesn’t receive any new security patches and becomes non PCI compliant.
Mobecls Team provides several Magento migration packs. We help both middle-sized and large stores to smoothly migrate their data, design, custom functionality, extensions, SEO, etc. If you’re interested in our migration scenarios, contact our experts or click the orange button.