The Subway incident has been reported by the BBC. As yet, Subway has not said whether its databases have been compromised or what the source of the scam is. It is also uncertain the extent of the numbers of people who have been impacted. However, Subway has informed Bleeping Computer that a particular server was responsible for the firm’s email marketing campaigns and this is the point where the attack happened. It appears that this server held no banking or credit card details were stored on it.
In terms of the form of the message, the content of the emails encouraged users to click on document links, which led them to hacked websites and downloaded a malicious Excel spreadsheet.
According to Ed Macnair, CEO, Censornet, commenting for Digital Journal: “This is an example of why email data is so dangerous in the hands of cyber criminals. Customer databases are a treasure trove for criminals looking to launch widespread phishing campaigns, exploiting the fact that these customers already know the brand and are therefore more likely to trust the email and click through to the malware.”
Macnair looks at the wider implication of “holding data about customers. He notes: “This attack demonstrates the implications of not sufficiently protecting valuable customer email information. For cyber criminals email campaigns have proved such an effective and easy method of malware deployment over the past decade, if a company lets its database fall into the hands of an attacker they are putting their customers at serious risk.”
In terms of preventative actions, Macnair recommends: “To stop this they should treat email data as sensitive information and an extra layer of account security as a bare minimum, such as multi-factor authentication, to ensure that only those who should have access to an email database can access it.”
