According to the Wall Street Journal the Heartland Payment Systems Inc of Princeton, NJ has fallen victim to a data breach that may have resulted in the unauthorized disclosure of 100 million credit card numbers or more.  At this time the company can’t say how many records were lost but it does handle 100 million credit card transactions each month for more than 250,000 businesses nationwide for a total processing volume of $20 billion dollars (according to the companies Q3 2008 Earnings Call).  This data breach has the potential to be bigger than the TJX data breach.  The data compromised is supposed to be “track data” the crown jewels of credit card information because it allows the attacker to actually reproduce the victim’s credit cards. 

Heartland was first alerted to the possibility of a breach by Visa and MasterCard who detected a pattern of fraudulent transactions.  Heartland’s investigation has revealed the presence of malicious software on its systems which Heartland’s president Robert Baldwin characterized as “light-years more sophisticated” than the run-of the mill malicious software typically found on the Internet.  This raises the possibility that this was a targeted attack as opposed to a “drive-by” infection. 

What is also curious is that when I did some looking into Heartland and PCI I found that security and PCI compliance was one of the main selling points of their service based on these two PDF’s I found.  (Retail Solutions PCI and RippedOff). 

Now I don’t work for Heartland nor do I know anyone who has so I don’t have an axe to grind any more than I have an ass to kiss.  It is early days in this data breech story so at this point I’m prepared to give Heartland the benefit of the doubt that they had taken reasonable and prudent measures to protect their data consistent with their industry.  I was also able to find a quote from Robert Carr, Heartland’s Chairman and Chief Executive Officer on the importance of security:

We also recognize the need to move beyond the lowest common denominator of data security, currently the PCI DSS standards. We believe it is imperative to move to a higher standard for processing secure transactions, one which we have the ability to implement without waiting for the payments infrastructure to change. We believe that standard to be true end-to-end encryption, and we are committed to launching this new standard in the fourth quarter of ‘09 or early 2010 with several forward-looking clients and industry partners. We believe that the payment world is at risk, relying on virus protection software to protect us from determined criminal organizations.

When I add up what I’ve found it appears that once again we have an example where simple compliance with standards does not necessarily equal security.  If Heartland was fully compliant with PCI DSS, and I have no reason at this point to believe otherwise, then it should serve as an example to change the perspective we take on securing our information from one of compliance to one of risk.  (although I’m admittedly perplexed at why they were storing track data… If they were truly storing full track data, to include the CVV and/or PIN number then that would call into question their PCI compliance. )

This is definitely one to watch in order to see how it develops.

Tags: Data Breach, Fraud, Heartland Payment Systems, malicious software, malware, MasterCard, PCI DSS, Robert Carr, TJX, track data, Visa, Wall Street Journal

Now I do realize that I run the risk of sounding like a broken record with this post but I think it will underscore a point as well as provide a basis for further posts on proactive security. 

I subscribe to the Data Loss Digest put out by DataLossDB.org.  While I don’t always have time to peruse it daily, I do go back and look through the messages from time to time.  I was doing so today when two news stories jumped out at me as good examples to use here on the blog.   While both of these stories dealt with data breaches and the way that they were handled.  They also speak to how being proactive can help when disaster strikes.

Our first story is about a missing hard drive that may contain the names, addresses, passport numbers, dates of birth and driving license details of 100,000 individuals who are employees of the UK Ministry of Defense.  This number constitutes about half of the UK’s armed forces.  See:

EDS loses unencrypted Armed-Forces Data and

Lost MoD drive hadn’t required encryption says EDS

In an interview on BBC Radio 5’s “Drive” program, the managing director of EDS (Defense) in the UK, Sir Robert Fry told the BBS’s Anita Anand:

“The hard drive was not encrypted but neither did it need to be, in terms of the protocols to which we and the Ministry of Defense work, when it sits inside a secure site.”

Now I have no doubt that what Sir Fry told the reporter is true but that is little comfort to the 100,000 individuals who’s information has gone missing. 

Compare this story to the loss of a laptop containing the personal details of 100,000 National Rail and British Transport Police pension program.  That laptop was stolen from a public place from a Deloitte employee.  

See: Pension Data was on Stolen Laptop

Now the first quote that you see from Deloitte was that there was a “very  low risk” of the details being accessed.  “Yeah, right” was my first impression but as you read on the article goes on:

“In a statement, the company said the laptop was protected by a number of security measures, including start-up and operating system passwords and data encryption. 

It said the theft had happened despite employees being issued with guidelines to pay close attention to their laptops in public places.”

For the sake of full disclosure I must admit that I am a Deloitte Alumnus.  As one, I can report that the company’s statement is true.  Our laptops were encrypted and they do put in place quite a few security measures to protect their client’s data over and above what I’ve found as normal in many companies.  In fact during my time there I was very impressed with the lengths they went to in order to protect their own as well as client data. 

My point wasn’t to praise Deloitte however.  It was to point out that while both cases involved a data breach they can be interpreted in two different ways.  On one hand you have a company that is trying to justify why certain security measures weren’t taken and on the other hand you have a company that is telling you that they had instituted multiple security measures that are intended to safeguard the information even though it has left the companies control. 

If I read these stories and try to put myself in the place of one of the individuals whose information was lost I come away with two different feelings.  On one hand I read the article and don’t feel any better that my information has been lost, in fact I feel worse – I’ve just been given the “pass the blame” answer.  On the other hand I feel better about the loss (not that I’m happy, just mollified) because it appears as if prudent security measures have been taken to secure the information on the laptop. 

Taking a proactive stance on managing the risk to information and implementing sound security measures is just good business.  What executive wants to be put on the spot by reporters having to answer questions as to why something wasn’t done?  Isn’t it a much better place to be in to inform every one of the efforts that a company has taken to go above and beyond in protecting its customer’s data?  In today’s tough economic times it is a prudent company that takes proactive measures to maintain the competitive edge when the inevitable happens.   

Tags: Anita Anand, BBC, Data Breach, Data Loss Digest, Deloitte, EDS, Ministry of Defense, National Rail and British Transport Police, Pension, Sir Robert Fry, stolen hard drive, stolen laptop, UK, United Kingdom

What happens when a company experiences a data breach or a security incident?  Well aside from the obvious, someone often tries to figure out what went wrong.  Hopefully this means that they want to fix things so that it doesn’t happen again and not for finger pointing and assigning blame. 

Regardless of the reason, what can we learn from these events?  In this, the first part of a two part post, I’ll review the common mistakes that companies make prior to a security incident.  In part two we’ll discuss how companies should approach risk management in order to minimize their exposure to risk.  (Imagine that – a risk management program that actually manages risk. What a novel idea)

This list is in no way exhaustive or ordered by priority. This list comes from my experience and that of the other information security professionals that I have talked with over the years in my attempts to learn from other’s mistakes and experiences.  If you have other items that you’d like to offer for consideration please post a reply.

1.  Risk Management is diffused across the entire organization. 

Managing risk should be everyone’s responsibility but it should have a focal point and a champion.  One problem that occurs is that risk management activities are carried out my many different people from many different departments with little or no coordination between them.  This causes a repetition of effort and can actually create more risk than it actually addresses. 

2. Overlapping and interacting risk factors are often underestimated or ignored all together.

Much like the diet drug Fen-Phen, the interaction of two risk factors can have an exponential increase in the level of risk exposure.  In companies that experience security incidents the interaction between these factors are often ignored if they are even recognized in the first place.  When the interactions were highlighted by information security professionals, senior management often downplayed the interaction.  We can only speculate as to why.

3.  Warnings about security vulnerabilities and risk agents were ignored and those who gave them were criticized as malcontents or for not being team players.

When examining the events that lead up to a security incident, it is not uncommon to find that the warning signs were there.  In certain situations it wasn’t uncommon to learn that those who did voice the warning were criticized for what management considered “disruptive behavior.” 

4.  When risk modeling is used too much emphasis was placed on probabilistic modeling. 

Most security studies are highly inaccurate from the standpoint of the quantifiable measurement of security incidents.  (I can go on about this but it is really a separate topic.  If it is one of interest to you let me know and I’ll devote a post to that topic.) Most information security professionals believe that these studies only capture something like ten percent of the actual events that are occurring.  When you use these studies upon which to base probabilistic risk models you are doing so using inaccurate data.  This is fine as long as this fact is acknowledged and the numbers generated from the model are tempered with qualitative analysis. 

5. Senior management was so focused on making their numbers that other programs and initiatives (such as risk management and information security) were cut.

This problem is all about thinking tactically or strategically.  A long term strategic approach includes addressing the needs and requirements that can have the greatest impact over time.  If managements view is too tactical and short term then they run the risk of neglecting the long term concerns such as those having to do with appropriate risk management activities. 

6.  Companies lacked a comprehensive approach to risk management. 

A comprehensive approach takes into account quite a few different aspects and points of view rather than one or two narrow views.   Companies that lacked a comprehensive approach typically viewed risk management as a compliance exercise rather than as a business enabler.  I’ll go into more detail about this in Part Two so stay tuned. 

Again, these are just a few items that came to mind.  If you have your own that you have noticed then please share them.

Tags: common mistakes, Data Breach, Fen-Phen, mistakes, risk management, security incident

Verizon Business has released a report on data breaches that span four years and more than 500 forensic investigations involving 230 million records.   The main message is that nine out of ten breaches could have been reported had reasonable security measures been implemented.  While I won’t repeat the report summary here, this report should be useful as supporting evidence when developing the business case for a comprehensive risk management program. 

You can find the full report here:

http://newscenter.verizon.com/press-releases/verizon/2008/verizon-business-releases.html

Tags: Data Breach