Garmin SA hacked, exposing users’ credit card details

GPS and fitness accessory maker Garmin SA has been hacked, leaving customers’ credit card information at the mercy of cyber criminals.

In a letter to its customers yesterday, Garmin SA MD Jennifer van Niekerk said: “We recently discovered theft of customer data from orders placed through shop.garmin.co.za (operated by Garmin South Africa) that compromised your personal data related to an order that you placed through our Web site.”

The site was still not accessible at the time of publishing, saying: “The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.”

According to Garmin, the compromised data was limited to Gamin’s South Africa site, and contained payment information, “including the number, expiration date and CCV code for your payment card along with your first and last name, physical address, phone number and e-mail address.

“We recommend that you review and monitor your payment card records to make sure there were no unauthorised purchases. If you suspect any fraud, please contact your bank or payment card provider for further direction.

“As a valued customer, we apologise for this incident and assure you that Garmin takes our obligation to safeguard personal data very seriously.”

However, Garmin did not disclose further details of the hack.

Misconfigured Web application

Jon Tullett, senior research manager for cloud and IT services at IDC, comments that one of the most common causes of a breach like this is a misconfigured Web application, such as a database or backup data.

“Locking that down, encrypting the data and, of course, not storing data where you shouldn’t in the first place is a fundamental step in preventing a breach – there is no reason for a merchant to store all that credit card data.”

He notes Garmin and its customers both need to take positive action. “Garmin needs to ensure all customers are directly notified that data has leaked, with guidance for the next steps. And those customers need to ensure they are keeping a close watch on their bank accounts for any sign of unexpected activity, and to be alert for phishing attacks using their personal data to impersonate an agency such as their bank, Garmin, a government department or the like.

“These sorts of leaks are so common, it makes a mockery of ‘we take data privacy seriously’ disclaimers. Getting POPIA [Protection of Personal Information Act] into full effect at this late stage is unlikely to make much difference. Unfortunately, a deeper rethink of personal credentials is needed to render stolen information valueless to hackers.”

For Troy Hunt, an Australian-based cyber security researcher, data breaches such as this are very often caused by either flaws in the design of the software or poor security practices such as a database being publicly accessible without a password or an administrator reusing weak passwords.

“In Garmin’s case, it looks like there may have been malicious software running on their Web site which managed to obtain credit card details as they were entered by customers,” Hunt says.

“Typically, after a data breach people would change their password on the affected site and anywhere else it had been reused.

“However, Garmin hasn’t said passwords were impacted in this incident; so it looks like the extent of the damage is credit cards and other personal information. Inevitably, this will mean replacing impacted cards and for individual customers, possibly considering identity protection services.”

Magecart attacks

Deepak Patel, a security evangelist for PerimeterX, is of the view that this latest episode is an indicator that Magecart attacks are far from over.

Magecart is a form of data skimming, which attacks using the client-side browser as the front-door for consumer interactions. “Skimming” is a method used by attackers to capture sensitive information from online payment forms, such as e-mail addresses, passwords and credit card numbers. For Magecart specifically, hackers implant malicious code into Web sites in order to steal credit card information as people enter credentials on the checkout page.

“The modern Web application stack relies on third-party scripts obtained from a variety of providers, not all of whom have strong security practices,” says Patel. “Web site owners lack visibility into the third-party scripts running on the users’ browsers within the context of their site. Many Web site owners are also unaware of all the first-party scripts running on their site.”

In this particular case, he notes, it is quite possible Magecart attackers leveraged Magento to skim credit card information from Garmin’s South Africa site.

Patel notes this attack also highlights the steps Magecart attackers take to avoid detection. “We have seen instances in the past where skimmers targeted specific geographies outside of the main site’s headquarters to remain undetected.

“This lack of visibility impacts both Web site owners and users. It’s impossible for Web site users to discern if a Web site is compromised by a Magecart attack. Users see the secure padlock next to the URL on their browser address bar and feel comfortable about using the site.

“In addition to staying up to date with the latest versions of critical platform components, Web site owners need to take another step: get visibility and control of all the scripts running on their Web site, whether first- or third-party or another part of the supply chain.”