Walmart Security Breaches: A Comedy of Incompetence
On August 7, 2018; I received an email from Walmart.com confirming an order for an iPhone...that I never ordered.?As something "bad" was clearly happening, I quickly logged in to Walmart.com to confirm the order was cancelled, I removed a valid credit card from the account and changed the account password.?Interestingly enough, the person who ordered the iPhone had added a credit card (I'll assume it was stolen) to the account and ordered a $2.32 iPhone case before trying to order something more expensive on my card attached to the account.
After a quick Google search I discovered SEVERAL Walmart beaches, including one?(https://www.komando.com/happening-now/446247/breach-walmart-exposed-personal-data-of-1-3-million-u-s-shoppers) that was discovered in March 2018 and involved a Jewelry partner to which Walmart provided data.?The data Walmart provide to this partner included account information consisting of names, addresses, ZIP codes, phone numbers, email addresses, IP addresses and plain text passwords.?PLAIN TEXT PASSWORDS!!!?Who does that!!?? Also, what eCommerce platform exists that has even cursory Security oversight and review with anyone competent in security actually stores passwords in plain-text AND allows those passwords to be retrieved via a SQL Query??That is not even borderline incompetent, it is raging "Equifax-level" incompetent.
So, I go to the Walmart.com website to find out how to contact security about this incident.?With breaches in three of the last three years (yes, Walmart is batting 1.000 in a league you try your damndest to never be in at all) but there is no option to say "Urgent help needed! I have fraudulent charges on my compromised account".
You can choose a Topic ("Shopping Walmart.com", "Orders, Shipping, & Tracking", "Returns & Exchanges" and "About The New Website") but none of these have subtopics even remotely related to getting help on account fraud.?Ok...So I Googled "walmart fraud line" and see the potentially helpful "Walmart.com Help: Unrecognized Charges or Orders".?I click through to that page.?no direct help but the page does say "If you think your Walmart.com account has been compromised, immediately contact Customer Service." and intends to link back to the help page I was on before (that actually did not have any clear way to report fraudulent activity).
Well, Walmart.com INTENDED to link to the root Help page (https://help.walmart.com/app/ask), The link actually was hard-coded to their Development Environment, https://walmartinc--dev.custhelp.com/app/ask.
The agent, who I will say was very professional was the ONLY saving grace in this entire "cluster something" - except Walmart didn't give her the tools or empowerment to handle a call like this the right way.?At first said that she had no information that my information was involved in any Walmart breaches - which is what her system told her.?Well, someone was able to login to my account and order stuff, so I pressed her on the issue because evidence seemed to contradict that factoid.?Seems the system was still churning away and that my account was indeed part of the breach as we soon found out.?
Well, the reply was as close to lying as you can come without actually giving false information.?That being said, It's the beginning of August 2018; this breach was discovered in March 2018…that is if my data wasn't actually part of one of the breaches in 2016 or 2017.?I know I was never informed of this breach.?I asked why I was not notified. I was told that my bank was notified and that is likely why the order for the iPhone was declined.?LIKELY.
I'm pretty sure that Walmart had a regulatory duty to inform ME directly, but let's put a pin in THAT for a moment; the breach was in March 2018 and Walmart knew every account involved and yet my account WAS NOT LOCKED AND DEACTIVATED FIVE MONTHS LATER.?The plain-text passwords for the account were disclosed and available online and the compromised accounts were not immediately set to force a password change and the credit card information stored in the compromised accounts were not immediately deleted to prevent fraudulent orders?
?So, I learned in my call with Walmart the following:
Walmart's Website: doesn't allow me to quickly and efficiently get help with Account Fraud
领英推荐
Walmart's Call center: Doesn't give their CSRs the ability and training to comprehensively deal with Account Fraud
Walmart's Secure SDLC and Architecture Maturity:?in 2018, their Identity and Access Management system stored plain text passwords and give people the ability to write SQL statements that returned account details and plain-text passwords.?That alone is shockingly and unforgivably incompetent.
Walmart's Incident Response for Breaches: Walmart knew my account was compromised but
?I remember an article in Forbes just before the 2018 breach started where Walmart wants to take on Amazon head-to-head:
?With this approach to security, Amazon has nothing to worry about.
?
You can't make this stuff up.
Indirect Tax Senior Manager (Compliance, Audit, Research, Sales Tax Engine)
6 年Mike, thanks for sharing your story. Sorry to hear about this happening to you but pointing this out is needed as must all remain vigilant online. Hopefully Walmart will have a better response in short order.