Yew Kee Group’s Chicha San Chen’s membership database has been hacked, with cybersecurity experts saying it highlights the risk of entrusting sensitive customer data to external vendors.
Hackers obtained names, mobile numbers, email addresses, and passwords of the loyalty club members of the bubble tea chain after infilitrating an external vendor’s shared server. They later listed the stolen data for sale on a hacker’s forum. The vendor looked after Yew Kee’s customer relationship management system.
“There is an additional risk any time a company outsources and entrusts sensitive information with third-party providers,” said Patrick Tiquet, VP of Security and Compliance at Keeper Security. “When an organisation does not own and operate the infrastructure that holds these resources, it not only lacks control but also has reduced visibility in the event of a significant cyber incident.”
“This incident at Chicha Sen Chen involved unauthorised access to a vendor’s shared server, highlighting the vendor’s responsibility to secure the application and platform, ensure compliance, and maintain physical security,” said Abhishek Kumar Singh, Head of Security Engineering at Check Point Software Technologies. “We are seeing more and more such attacks due to third-party breaches.”
Singh says vendors offering hosted software services possibly should consider implementing the following security measures if they are not already in place:
- Assess and manage security risks associated with third-party vendors and service providers that access or process sensitive data on behalf of the SaaS provider.
- Strong Data Encryption in transit and rest
- Implement access controls and authentication mechanisms, such as single sign-on (SSO) and multi-factor authentication (MFA).
- Incorporate prevention-based cyber security checkpoints throughout the entire software development life cycle, ensuring endpoints, mobile devices, email systems, collaboration apps, and all access points to customer data, applications, assets, and services are secured. Implement granular network segmentation across different customer segments to enhance protection and control.
- Ensure seamless integration of all security controls to detect any gaps and respond promptly and effectively.
- Integrating automated remediation onto compliance and regulated frameworks
- Conduct regular security assessments and penetration testing.
- Maintain a robust incident response plan outlining procedures for detecting, responding to, and recovering from security incidents, and test the plan regularly through simulated exercises.
- Closely monitor updates and patches.
-
Hold quarterly cybersecurity tabletop exercises to enhance readiness.
“Firms who do embrace software security reduce their risk of breach by having the kind of robust software practices and security controls in place to prevent these kinds of breaches,” said Adam Brown, Managing Consultant at Synopsys Software Integrity Group. “However, if their suppliers do not commit to similar policies, the risk of breach remains. We must scrutinise suppliers’ security practices, since trusted partners are just that; we must know that their security practices are as good or better than our own.”
Singh says users should immediately prioritise changing their passwords for Chicha San Chen, as well as any other websites that use the same password or a version of that password.
