Total Tools Totally messed up – Credit card details stolen for 30k customers

Total Tools Totally messed up – Credit card details stolen for 30k customers have been stolen in a Cyber security breach for the ages.

This article is my opinion and is based on the information that has been presented so far, as I have not completed the Incident Response for Total Tools I can not be 100% certain of this case.

This article is written to ensure that people affected by the breach do reset all their common passwords that were shared with their Total Tools login and that they replace their credit cards ASAP.

Now the basics of what is good Cyber security and what is not is well known, I have written about the basics of Cyber Security before even here and on LinkedIn, again and again the same thing is true. Protect your Identities, Protect your Email, Protect your Devices and MOST importantly, Protect your DATA – Data is the lifeblood of business, it is also information that a business is a custodian of, not the owner.

When a supplier has my personal details, that information is still mine and the supplier should uphold the security of my information at the level I would. I can not change my Date of Birth, my Tax file Number, Drivers License, email address, mobile number, physical address are all sufficient to create a persona and defraud a third party using data that the owner of had no control over.

Pulling apart the announcement and only through the announcement (meaning there will be more nuance to this), Total Tools did not have adequate Data Security measures in place, or any, but we don’t know this for certain yet so will err on the side of inadequate controls.

What is Wrong?

In the announcement there are some telling signs, firstly a couple of the most critical components to be secured were not secured:

Email Address – Email addresses are probably mostly known globally already due to compromises of data across the board from Optus to MediBank to Latitude etc. In isolation no problem, but with the valuable data below, this is a really big issue!

Login details – this will be referring to both user name and Passwords, though passwords are not being explicitly mentioned, if they were not captured the media announcement would have stated encrypted hashes/ salted values or something along those lines.

Credit Card details – This BLOWS my Fucking mind! there is no way that any company should have had Credit card details on record, this is very likely a breach of the contract with the Credit card providers and at the very least.

The information above is sufficient for a criminal to act as one of the peoples who’s information was stolen and also to start running up purchases on their Credit cards – if a criminal keeps the purchases down and under the radar, then it is possible that they could continue for months without being noticed and draw a significant amount of money from a business account of an affected Total Tools client.

All data stored should be encrypted, at the very least Total Tools should have been encrypting the Passwords and the Credit card information of their users, seriously this is not good enough for a major Australian business, unfortunately it is not just them, many other businesses will also be in the same situation where the data they have about you is not secure. So far they have been lucky or they just don’t know that they have been infiltrated yet.

What should I do next?

If you are an affected Total Tools customer then read the email they have sent carefully for exactly what data was taken. I would recommend erring on the side of caution though and if you are a trade account holder or a customer who’s Credit card details were stored by Total tools, then do the following:

• Cancel your credit card or put the card on hold while you check the purchasers, it is likely that there will be weeks before a criminal uses the stolen information as the data is often sold onto a second party for a payday for the thief.
• If you used the same email and password on the Total Tools website that you use elsewhere, then change those passwords to a strong password on all sites where there are financial or other risks (Social Media, Business websites etc) as soon as you can, a criminal that takes over your website can steer customers away from you or do worse to cause your business harm.

And a really good practice for the future is to never send credit card details by email, or give them over the phone, because sent via email the data is now available to anyone who compromises the business you sent them too.

As always please reach out to me if you would like any assistance here.