The growing threat of collateral hacking

Collateral hacking threatens normally low-risk businesses

A small, family-owned hardware store sits on the main street of a quiet town in rural Michigan. During its peak season, the company serves about 40 customers a day for an average sale of US$9; roughly half of them pay by credit card. All of the company's credit card transactions feed digitally through a bank in Detroit.

From a hacking perspective, this store doesn't even warrant a blip on a digital thug's radar. So imagine the surprise when customers of mom-and-pop stores across the country got a letter last year telling them their credit card information had been exposed in a bank compromise. In other words, these stores were collaterally hacked.

Collateral hacking occurs when an entity trusted with critical data is compromised. It's becoming a huge threat as low-risk businesses pool their data and create an aggregation point that's an attractive target for attackers. Beyond targeted hacks, the consequence of having data duplicated by an external entity is disturbing. Consider the number of recent incidents involving data being accidentally exposed by people not necessarily trying to steal it (think bank backup tapes and the U.S. Department of Veterans Affairs' hardware theft.)

An unexpected degree of risk is taken when data goes external. This includes data going to a software-as-a-service provider (for example, or ADP), an error log with customer data going to a software vendor or systems integrator, or credit card data for a transaction that gets pushed through a bank.

Aggregation can do weird things to risk economics. Take crash dumps or logs. Unless there's a big incentive to hack into your company specifically, the chance of someone plowing through your application crash dumps or error logs is pretty small. But imagine targeting a systems integrator that has tens of thousands of these logs. It's likely to be a fairly simple data mining exercise to scan through these files quickly and use automation to look for credit card numbers.

The key to curbing collateral hacking is to find out where your company's data is flowing. Think about partners, service providers, software vendors, anything outsourced -- for example, payroll or credit card processing. Then ask, "What do I know about how data is treated when it gets there?" Given enough important data in one place, your data could make one of your partners a more attractive target than the Pentagon.

Next, you need to assess how that data is handled. It's becoming increasingly acceptable to augment service-level agreements to include requirements for external security audits and staff training around security.

In an ironic twist, it tends to be the most critical data in small and midsize companies, such as credit card transactions, payroll information and customer contacts, that gets sent to service providers. With the risk of collateral hacking looming, companies need to look with a paranoid eye at service providers that process this critical data.

Choose wisely; miffed customers tend to blame the guy at the store counter; not the back-end organization that ultimately lost a massive amount of data.

Thompson is a well-known book author on computer security. He can be reached at

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Hebert H. Thompson

Network World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?