Third-Party Vendor Exposes Data of 1.3 Million Wal-Mart Shoppers

It really wasn’t Wal-Mart that exposed personal data of 1.3 million shoppers. But if you read the headlines and listen to the stories, you may think so. In fact, it was a third-party vendor to blame for this one. A security firm, Kromtech, discovered the breach. While Wal-Mart customers are indeed involved, it was a misconfigured Amazon cloud server belonging to a company called MBM Company Inc. that left the information publicly available and available to anyone who would like to use it...even without permission.

MBM Company, as it turns out, also runs a company that works with Wal-Mart and its jewelry-buying customers. The data that was inadvertently exposed from January 13, 2018 until just recently included names, addresses, phone numbers, email addresses, and unsecured passwords for the victims’ shopping accounts. The data went as far back as the year 2000.

When working with third-parties, you really lose some control of customer data. There is, and should be, an expectation that they will secure the data you are entrusting them with. However, as has been proven time and again, this isn’t always the case. See the recent Facebook incident, for example. If you hand over data to a third-party, make sure you know what they are doing with it. If you expect them to keep it secure, make sure they are signing off that they will indeed do that. Read the contractual fine print, find out their security plans, and hold them accountable when something happens to your customers’ or employees’ information. It’s as much your responsibility to find out this information as it is theirs to secure the data.

Anyone with a Wal-Mart online shopping account should change their password now. Make sure to included upper and lower case letters, special characters, and numbers. It should be completely unique to that one site and not be easy to guess.

In addition, make sure to monitor your payment card charges for at least the next 12 months, until the card expires, or until a new one is issued. Report any potentially fraudulent charges right away.

If you have the option to set up multi-factor authentication (MFA) or two-factor authentication (2FA), do it on any account for which it’s available. This means that in order to get access to your account, you’ll not only need your login and password, but also some other method of authentication. This could be a random code that is sent via text or phone call, or a randomly generated number from a key fob you may have received in the mail.

The jewelry company was called Limogés Jewelry. It not only partners with Wal-Mart, but also with many other stores including Amazon, Sears, Kmart, Target, and Overstock. If you use the same password with any of these merchants, or any other online account for that matter, you’ll need to change that one too.

Stickley on Security
March 30, 2018