The growing threat of collateral hacking

Collateral hacking threatens normally low-risk businesses

A small, family-owned hardware store sits on the main street of a quiet town in rural Michigan. During its peak season, the company serves about 40 customers a day for an average sale of US$9; roughly half of them pay by credit card. All of the company's credit card transactions feed digitally through a bank in Detroit.

From a hacking perspective, this store doesn't even warrant a blip on a digital thug's radar. So imagine the surprise when customers of mom-and-pop stores across the country got a letter last year telling them their credit card information had been exposed in a bank compromise. In other words, these stores were collaterally hacked.

Collateral hacking occurs when an entity trusted with critical data is compromised. It's becoming a huge threat as low-risk businesses pool their data and create an aggregation point that's an attractive target for attackers. Beyond targeted hacks, the consequence of having data duplicated by an external entity is disturbing. Consider the number of recent incidents involving data being accidentally exposed by people not necessarily trying to steal it (think bank backup tapes and the U.S. Department of Veterans Affairs' hardware theft.)

An unexpected degree of risk is taken when data goes external. This includes data going to a software-as-a-service provider (for example, Salesforce.com or ADP), an error log with customer data going to a software vendor or systems integrator, or credit card data for a transaction that gets pushed through a bank.

Aggregation can do weird things to risk economics. Take crash dumps or logs. Unless there's a big incentive to hack into your company specifically, the chance of someone plowing through your application crash dumps or error logs is pretty small. But imagine targeting a systems integrator that has tens of thousands of these logs. It's likely to be a fairly simple data mining exercise to scan through these files quickly and use automation to look for credit card numbers.

The key to curbing collateral hacking is to find out where your company's data is flowing. Think about partners, service providers, software vendors, anything outsourced -- for example, payroll or credit card processing. Then ask, "What do I know about how data is treated when it gets there?" Given enough important data in one place, your data could make one of your partners a more attractive target than the Pentagon.

Next, you need to assess how that data is handled. It's becoming increasingly acceptable to augment service-level agreements to include requirements for external security audits and staff training around security.

In an ironic twist, it tends to be the most critical data in small and midsize companies, such as credit card transactions, payroll information and customer contacts, that gets sent to service providers. With the risk of collateral hacking looming, companies need to look with a paranoid eye at service providers that process this critical data.

Choose wisely; miffed customers tend to blame the guy at the store counter; not the back-end organization that ultimately lost a massive amount of data.

Thompson is a well-known book author on computer security. He can be reached at hugh@hughthompson.com.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Hebert H. Thompson

Network World
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?