55 million yen stolen from 7-Eleven customers

On 1st of July, the convenience store chain, 7-Eleven launched a new service called 7pay in Japan to users of its 7-Eleven App (セブン-イレブンアプリ) allowing users to pay with their phone by charging their account or by using their connected credit and debit card information. However, registration for this service was stopped after just three days, as hackers had exploited a very weak password reset system, to gain access to and pay with other users’ accounts. In this article, we cover what happened, the repercussions, and how some GDPR concepts can help your company avoid such data breaches. 

What happened

Shortly after launch, customers started making various complaints, including being logged out of their account, and or having fraudulent charges placed on their credit and debit cards. A first quick investigation by reporters and twitter users found a glaring security hole in the “Password Reset” function of the service. A standard password reset procedure involves users being asked to provide their email and sometimes some additional information for verification. A reset-link is then sent to the registered email and the user can generate a new password from there. With 7pay, the additional information was birthday and telephone number. However, there was also another field, “delivery email address”. Attackers were able to insert any email address into this field and receive the password-reset link from there. They could then, using the information they already had, log into the user account and place fraudulent orders or charge the credit and debit card. While email addresses and phone numbers are easy to get a hold of thanks to thousands of data breaches, or even a simple phishing mail, a default birthdate was set to 1st January 2019. This means that an attacker would have good chances to guess this date, as many people do not change the default. Especially in cases such as this, where information on the birthdate might seem superfluous to the working of the app.
 
It is unclear whether this lacklustre reset functionality was the root cause, however, in just two days, about 900 people reported losses totalling 55 Million Yen (about 450.000 €).

Repercussions

It is possible that 7-Eleven cut some corners during development to save costs. What is clear is that insufficient resources were spent on testing and impact assessments by the company before releasing 7pay, resulting in the following damages: 

• Public rage across news and social media. A journalist from Yahoo Japan stated bluntly: “We cannot recommend using the 7-Eleven App until a full audit has been completed”.
• Loss of trust across the 7-Eleven mobile services, angering other departments of the company.
• Loss of trust in mobile-payment general, angering other companies in the field.
• The 55 million yen (about 450.000 €) stolen from customers which 7-Eleven has promised to recompensate.
• The company has also announced an urgent review and audit of the entire service, significantly adding to the cost of damage control.
• Customer trauma from having their private information including name, birthday, transactions, and possibly even credit card and debit card numbers exposed to anyone who exploited the security loophole.

 
The launch of this service went so terribly wrong that it is uncertain if it will be reinstated in the near future. 

How GDPR concepts could have helped

To ensure security of the personal data, including protection against unauthorised access, GDPR introduces three concepts that companies can use. Although this particular incident was outside of GDPR jurisdiction a damaging data breach like the one faced by 7-Eleven could have been avoided by the following: (1)  “Data Protection by design”, (2) “Data Protection Impact Assessment” and last but not least (3) “Data Protection Officer”. 

1. Data Protection by design (also Privacy by design)

Article 25 GDPR specifies that companies should consider the latest standards of technology when designing risky processes or products. This includes considering recommendations of experts and widely accepted best practices. Depending on the cost of implementation and the scope and context of processing, it is mandatory to use these technologies and best practices when developing any service.

The possible measures to increase security are described in Article 32. For example, implementing “a process for regularly testing, assessing and evaluating the effectiveness of […] measures”.  Before launching a highly targeted service such as 7pay, which includes financial data of a large amount of people, as well as a lot of personal information, an independent security audit could have spotted the problems before launch, allowing for fixes to be issued at relatively low cost.
 
This preventative security audit would be just a small fraction of the cost of what 7-Eleven is having to pay now for their post disaster audit, as there will be a express premium being paid to solve the incident as swiftly as possible. 
 
In the given case, using the best practice of sending a password reset link only to the registered email would have possibly saved 7-Eleven from the entire debacle.   

2. Data Protection Impact Assessment (DPIA)

Article 35 gives companies another valuable tool to design efficient workflows around the planning of services and apps. During a DPIA, all relevant teams are asked to imagine worst-case scenarios, find measures to guard against them and rate the remaining risk to individual customers and users. The DPIA therefore provides a set procedure to collect all risks a data breach or related problem might pose and contemplate effective safeguards early in the process.
 
If a risk is identified early, the team will have enough time to find a solution and implement it without running tight deadlines that might lead to rushed features. While many people decry the DPIA as being a burden on companies, it proves itself to be a very useful instrument in detecting future pitfalls.  

3. The Data Protection Officer

A Data Protection Officer can do much more for your organisation than just monitoring the compliance of existing processes. As specialists in GDPR and ideally also IT, they can provide important insights during each phase of development. During planning they can spot potential problems early on, and during development they can keep in regular contact with the team to guide decisions on user experience or safety, helping you reduce risks. Afterwards, during final checks they - as experts in their field - can confirm the compliance with relevant regulations, but more importantly with international IT standards such as the ISO 27001 or the recommendations of agencies such as NIST, BSI or the NCSC. 

Before hiring a DPO, be sure to check that they know not only about GDPR but are also deeply familiar with IT security and IT best practices, as these skills will help your organisation stay ahead long term. Enobyte offers this expertise. If you have any question regarding projects you’re planning or working on, we are happy to assist you along each step to support you in staying compliant, and more importantly staying alert against threats and security mishaps. With our service you can sincerely tell your customers that you care about keeping their data protected.

Related article (interview with Dr. Hermann Gumpp, Enobyte K.K.): HR Technology and GDPR (source: The Asahi Shimbun Globe+; in Japanese).