Cybercriminals likely poised to attack as Magento 1 reaches “end of life”

Cybercriminals likely poised to attack as Magento 1 reaches “end of life”

After publishing a final security patch on 22n June 2020, Adobe is ending support for its popular e-commerce platform.

Adobe stated, "If you have a store that continues to run on Magento 1 after June 30, please be aware that from that date forward you have increased responsibility for maintaining your site’s security and PCI DSS compliance. Beyond the EOS (end of support) date, Adobe will not be responding to any further security issues for Magento 1."

Upgrade to Magento 2 e-commerce platform to avoid cyber risks

Payment processors Mastercard, Visa and PayPal, and the FBI have issued security alerts, urging users to upgrade to Magento 2, which was released in 2015. According to Threatpost, more than 100,000 online stores are still using Magento 1. By contrast, it is estimated that only 37,500 stores have installed Magento 2, despite it being released over 5 years ago.

In an April advisory from Visa, the financial services company highlighted the following potential security issues for merchants staying with Magento 1:

  • Extensions or plug-ins functionality may break or become unavailable.
  • Over time, Magento developers will only be familiar with Magento 2.
  • Merchants will fall out of compliance with PCI DSS.
  • Ecommerce sites will be more exposed to security risks and increased likelihood of an account data compromise due to the lack of security upgrades.

After Adobe purchased Magento, it quickly expanded the development of Magento 2, but for many SMEs that started their online stores on Magento 1, the path to newer open source or cloud-based upgrades can be difficult and costly.

Avoid cyber risks from e-commerce platforms

Magento is a very popular open-source e-commerce platform that powers many online shops, a fact that hasn’t gone unnoticed by cyber criminals.

For the past four years, cybercriminals have increasingly targeted Magento sites as part of 'Magecart' attacks, exploiting bugs and inserting malicious JavaScript code to steal payment information (known as web skimming) from the end customer. It is estimated that one gang known as Keeper infiltrated 570 e-commerce sites in 55 countries.

These attacks are often traced back to online retailers older versions of the software, with Mastercard stating that 77% of the companies investigated were not in compliance with PCI DSS requirement 6; the rule that requires store owners to run up-to-date systems. Losing PCI DSS accreditation is a potential disaster for online stores or any other company that manages online card payments, as they could become directly liable for the damages they cause to their customers.

With web skimming attacks being more common than ever and store owners will most likely need to seriously consider updating their sites, despite the temporary breakage and downtime that this involves. Merchants that continue to use an unsupported Magento 1 version will have to implement compensating controls to re-certify PCI DSS compliance, such as signing up for and implementing third-party fixes and updates, continuously scanning their installations for malware, vulnerabilities and unauthorised accounts, using a web application firewall, and so on.

"General security vulnerabilities tend to increase the longer software is unsupported as hackers continue to use new technologies and techniques for exploitation. This raises the risk of attacks and security breaches over time and increases the possibility of exposing personally-identifiable customer data," Adobe explained.

Companies risk their reputation, the trust of their customers, fines and may even lose their credit card processing ability if they fail to protect user information.

As disruptive, time-consuming and costly as it maybe, this EOL may finally push many retailers to upgrade or make the switch to an alternative platform.

Uninstall Flash Player to avoid cyber vulnerabilities

End of life timelines often leave lagging companies in security hot water. With Flash Player's 31 December 2020 end of service date quickly approaching, Adobe said that it will start prompting users to uninstall the software in the coming months.

"Any time software reaches end-of-life there is the risk of attackers discovering new vulnerabilities that will remain unpatched,” Zach Varnell, Senior AppSec Consultant at nVisium, told Threatpost. “There may even be existing vulnerabilities that are not yet publicly known. Attackers could just sit on those issues and not reveal them until after the EOL date, ensuring that they will have longer to use them."

2020 has been a tumultuous year for retailers who are adapting to drastically changed consumer behaviours and expectations. Amidst the list of business-critical priorities a merchant is focussing on, a cyber infiltration would be less welcome than ever, and potentially disastrous, especially if it were uninsured.


Cyber insurance from Towergate

Towergate are actively engaging with insurers and our clients to obtain cyber protection for businesses of all sizes, to protect against the very real and growing threats of the digital age. We can offer cyber insurance for businesses to help protect you should the worst happen.

Get a cyber insurance quote online.

Mark Brannon Cert CII, commercial, sales, broking and client directorAbout the author

Mark Brannon Cert CII is a respected industry leader with over 17 years’ industry experience in a variety of roles within the business insurance sector. He works across a wide spectrum of insurance product and policy development, delivery and optimisation for clients, including claims, insurer relationships, marketing and communications, and risk management.


Read more cyber insurance articles


For more information or for a full review of your insurance needs, please see our insurance specialisms, contact your usual Towergate Insurance Brokers adviser or email


The information contained in this bulletin is based on sources that we believe are reliable and should be understood as general risk management and insurance information only. It is not intended to be taken as advice with respect to any specific or individual situation and cannot be relied upon as such. If you wish to discuss your specific requirements, please do not hesitate to contact your usual Towergate Insurance Brokers adviser.