LaSala further explained the change in direction of the DanaBot shows that attacks that started in banking are moving beyond banking. "Attacks such as Marriot, British Airways and Newegg were for private information and on the black market, this private information is valuable. Private information helps criminals open new accounts and appear legitimate." He added, the more private information that is stolen, the more difficult it will be for organizations to protect themselves from fraudulent accounts. "This showcases the fact that all forms of internet communication need to be protected and companies should be vigilant in patching security holes as soon as they can."

Meanwhile last week Krebs on Security broke the news that major jewelry chains Jared and Kay Jewelers have fixed a website vulnerability that exposed the sensitive order information for all their online customers.

In mid-November 2018, KrebsOnSecurity heard from a Jared customer who discovered that slightly modifying a link within a confirmation email, and then pasting that into a Web browser, revealed another customer's order. this vulnerability, exposed sensitive personal information including their name, billing address, shipping address, phone number, email address, items and total amount purchased, delivery date, tracking link, and the last four digits of the customer's credit card number.

The CISO at Signet – which operates over 3,500 stores primarily under the name brands of Kay Jewelers, Zales, Jared, H.Samuel, Ernest Jones, Peoples, Piercing Pagoda, and JamesAllen.com – said they fixed the problem for all future orders–but didn't address the data exposure on past orders until contacted by Krebs. Signet said the problem affected only orders made online through jared.com and kay.com.

Bryan Becker, application security researcher at San Jose, Calif.-based WhiteHat Security, commented: "Vulnerabilities and weaknesses in websites are incredibly common— even among high profile organizations, such as Jared and Kay Jewelers. Many businesses are still unaware of the risk factor of their websites, or have delayed taking appropriate action due to funding issues or prioritization." Becker said in the case of Jared and Kay Jewelers, lax security exposed a great deal of personally identifiable information to any adversary taking advantage of common web vulnerabilities. "This opens individuals up to identity fraud, order theft and more."

Becker suggested, "Year-round, but especially during the uptick in online holiday shopping activity, companies must be proactive, not just reactive, in regards to application security. Continuous testing and auditing of applications is now a requirement, not an option." Every business that handles consumer data needs to make security a consistent, top-of-mind concern with an obligation to perform the strictest security tests against vulnerable avenues: APIs, network connections, mobile apps, websites and databases. "Organizations that rely on digital platforms need to educate and empower developers to code using security best practices throughout the entire software lifecycle, with proper security training and certifications."