Chinese ecommerce giant Gearbest, which is somewhat similar to Amazon and other ecommerce marketplaces, has been breached again (the last time was December 2017).
Gearbest is headquarted in Shenzhen, and boasts of working with more than 5,000 Chinese companies such as Huawei, Lenovo, Xiaomi, DJI, and so on. More than 1.5 million records were exposed, and attributed to an unsecured database, with user names, date of birth, account passwords, payment information, IP addresses, and national identification and passport details.
According to Tim Mackey, Technology Evangelist, Synopsys Inc,
“Today, organizations simply cannot afford to neglect the security of their applications, especially in industries like retail and banking where processing and storing payment card and financial data is standard operations. In the latest mega-breach uncovered by VPNMentor, Gearbest has demonstrated that even the most obvious cyberattack targets can fail to maintain basic security hygiene.”
Some tips offered by Tim Mackey include:
This incident has clear lessons for anyone operating a website which collects or processes personal information:
- Follow OWASP guidelines and ensure all systems are properly secured (OWASP stands for Open Web Application Security Project, a global non-profit charity aiming ot improve software security)
- Review privacy regulations not only for your jurisdiction, but also where your customers and users reside
- Do not collect or retain any information which doesn’t serve a clear purpose for your customers and users
- Ensure that any system which shouldn’t be accessible from the Internet can’t be
- Implement a security and incident response process which is responsive to issues the ethical hacking community uncovers”