International logistics provider Toll last week confirmed that data stolen in a cyber attack earlier this month has been published onto a forum in the dark web.
As a result, Toll is now focused on assessing and verifying the specific nature of the stolen data.
According to ITNews over 200 GB of corporate data was stolen by the attackers, which was released as a compressed archive along with a text file which listed the documents within and described the release as “part one”.
As initially reported some of this data relates to commercially sensitive information relating to its clients, employees and partners – putting businesses beyond Toll at risk of being blackmailed, scammed or otherwise impacted.
Inside Retail reached out to a number of retailers that use Toll services, but none had seen major impacts beyond a slowing of delivery times.
An accurate log of what data was stolen is still underway however, and once this data is released into such an environment it becomes very difficult to control and contain, with potentially personal information being shared and stored in difficult to reach places.
“It’s common for data stolen during cyber incidents to be sold on the dark web,” Damien Manuel, chairman of the Australian Information Security Association and director of Deakin University’s Cyber Research and Innovation Centre, told Inside Retail.
“Data in isolation may be viewed as having no to little value, however data aggregated with additional data can result in highly valuable data for hostile foreign governments and criminal syndicates.”
Such data can be used for monetary gain, or in order to gather information for more nefarious purposes.
And with the recent growth in online shopping across the retail sector and the increasing collection of customer data to fuel a more personalised retail experience, it is important to ensure that data collected by customers is only shared with trusted third parties and any cyber attacks are disclosed swiftly.
According to Manuel if a company hands data to a third party and that third party loses the data, under notifiable data breach (NDB) requirements the company itself could be responsible.
“Businesses need to ensure they have security aspects important to them listed in the contacts with third party suppliers and outsourcers,” Manuel said.
“[They] should also establish and test procedures of how each organization will work together to meet NDB requirements, how customers will be notified and what controls or procedures will be put in place to prevent or reduce a future occurrence.”
The most important thing, Manuel explained, is that businesses come clean with as much information as possible. By doing so businesses don’t risk losing customer loyalty should the attack be worse than is initially claimed, or if it appears that necessary steps weren’t taken to keep such an from happening.
