Asda, the second largest supermarket in the UK by market share, reportedly failed to patch a vulnerability in its online grocery store that exposed customers’ personal information and payment details for nearly two years.
In March 2014, a researcher contacted Asda “to report several security vulnerabilities” that he’d discovered in its website, but nothing was done to fix them for 677 days. It was only after the researcher blogged about it that anything was done.
Asda fixed the vulnerability shortly after the blog was published last Monday. Asda made a statement to th BBC: “Asda and Walmart take the security of our websites very seriously. We are aware of the issue and have implemented changes to improve the security on our website.”
The security flaws apparently meant that if you as a customer were signed in and browsing the site. and then searched for a voucher or discount code and the website you looked at contained malicious software, you could potentially lose your credit card details.”
Although it has not been disclosed if credit card details were compromised it is estimated that over 19 million transactions were potentially at risk in that period !
The research was conducted by security analyst Paul Moore.
Known vulnerabilities is one of the easiest methods by which cyber criminals can hack websites. Proper patch management will have potentially fixed these vulnerabilities. Up-to-date software is essential for information security in all organisations. Without updates and patching of old / unsupported or vulnerable software, your website and for that matter any system runs a significantly risk of compromise.
Implementation of an Information Security Management System (ISMS) in compliance with ISO27001 will provide the framework to support patch management to mitigate these risks.
Call ESID Consulting for help on Tel 0844 358 2362 or email firstname.lastname@example.org