A Simple Incident Response to a Simple Oversight

Information Security

Today may be the day you need to step up and respond to a breach involving someone else’s confidential information. Do the right thing and you will be OK. Assuming the breach is less than it really is can negatively impact your company, the victims, and your livelihood.

A Little Background
I write for this and The Breach Blog because I am passionate about information security and protecting people when dealing with confidential information. The Breach Blog was born out of this passion just a few months ago, and I have already written 69 articles (with a backlog of four) about breaches and the lessons they teach us. I believe that people can really learn from other people’s mistakes. Anyway, on to the story...

The Incident
This morning I received a phone call from one of the IT administrators at a company that I provide information security consulting for. He was in a panic.

He regularly receives email updates from his human resources department outlining terminations, new hires and management changes. He gets these updates so that he can update the company’s Active Directory. Today, he received his spreadsheets as normal, but this time there was an additional column that he did not recognize before. The column was titled “Assoc. ID”, and the spreadsheet contained information on about 50 company employees.

Can you guess what the “Assoc. ID” is?
If you guessed Social Security number, then you are correct! Oh boy.

On the surface, you may say this isn’t that big of a deal. We can just go to human resources and inform them that this is an unacceptable practice and be done with it. OK, but put yourself in the shoes of a person that was in the spreadsheet. Would you be OK if information security just went to human resources and told them to quit it? I am guessing that your answer may be the same as mine, NO!

If I was a victim, what kind of questions would I demand answers for? Let’s see:

• I want to know where this information came from.
• I want to know if this has been an acceptable practice by human resources in the past and if so, how long?
• I want to know if there was anyone else that received this email.
• I want to know that the email containing the spreadsheet was deleted. Not just from the “Inbox” either, but also “Sent Items” and “Deleted Items”.
• I want to know if there were any copies stored locally on the sender’s computer.
• I want to know if there are any copies on a network drive (i.e. is “My Documents” synchronized).
• I want to know if this information may be in a backup anywhere that needs to be
  dealt with.
• I want to know why this happened in the first place.
• I want to know what human resources is going to do to make sure that this never happens again.
• Are there any laws and/or regulations, i.e. do I need to disclose this breach to any state attorney generals?
  

You get the picture yet? I want to know everything there is to know about this breach and I want to take every possible action to contain the damage caused by it.

Victims and shareholders should expect demand no less!

As it turns out, this seemingly innocent mistake/training issue quickly escalated into a full-blown investigation that took away from other important tasks and cost the company money. It would have been easy to take the lazy approach and sweep this under the rug, but what service would I be providing to the victims, the company, or myself? Thank God this breach only affected 50 people and was relatively easy to contain and respond to. What would I have done if this breach affected 5000, 50000, or 500000 people? What if the human resources person sent the email outside of the company?

Tips I've Learned
An easy way to respond to an incident involving personally-identifiable information is to put yourself in the shoes of a victim. This may sound obvious, but too many times I have witnessed information security “experts” going the other way. Answer the questions that you would have as a victim. Take money, lost consumer confidence, stock price, etc. out of the equation and do the right thing. If we all did the right thing we would have less regulation and more time to do other “right things”.

The CIO of this company asked me a question on my way out the door once the investigation was complete. He asked me what makes an information security professional so good at what he (or she) does? My answer: 95% of what makes a good information security professional is common sense. The other 5% is skill.

Unfortunately, it is very difficult to teach someone common sense. Read more!

Information Security Quote of the Day

Information Security

"It's seems like there's a problem with security inside Homeland Security and that makes no sense"

 - James Slade, TSA screener and the executive vice president of the National Treasury Employees Union chapter at John F. Kennedy International Airport in talking about the lost TSA hard drive containing Social Security numbers, bank and payroll information for roughly 100,000 employees in May, 2007.


NOTE:  The agency said it did not know whether the device is still within headquarters or was stolen.

Hardly a week later DHS employees announced a class action lawsuit against the TSA in AFGE, et al v. Kip Hawley and TSA which to my knowledge has not yet been resolved.

Read more!

TJX Breach News, and on and on...

Information Security

Today the Boston Globe reported an arrest related to the TJX record-setting breach (in terms of numbers of affected consumers) in thier article, "Suspect named in TJX credit card probe Ukrainian's arrest seen as break in record fraud case".

I continue to be intrigued by the details of this case.  Maksym Yastremskiy stands accused of playing a "key role in the sale of many credit card numbers stolen from TJX Cos" and likely the "largest seller of stolen TJX numbers".  


According to the article, Mr. Yastremskiy sold cards in batches of up to 10,000 for $20-100 per card through various online forums.  Let's do some math.

10,000 cards @ $20-100/card = $200,000-1,000,000!

Let's say for a second that 45 million cards (allegedly lost in the original breach) were able to be sold for the same price.

45,700,000 cards @ $20-100/card = $914,000,000-4,570,000,000!

Up to 4.5 billion dollars!  Now this is all VERY hypothetical, but it should be VERY clear why organized crime is so interested and active in information security (or insecurity).  The amount of money made is incredible.

The article goes on to state that TJX reported that initial estimates of how much the breach will cost the company were grossly understated.  TJX estimates that it will spend $256,000,000 to cover the costs of the breach, improved security controls, and lawsuits.  
I don't know, but this still seems understated to me.

There is evidence of cards and/or information related to the TJX breach being used all over the world from retail WalMart stores to cash advances.

What a mess.  What did Mom say?  Something like an ounce of prevention is worth a pound of cure, or was it an ounce of security is worth $20-100/card?  I can't remember!


Some good TJX breach-related links:
 - The original TJX press release announcing the breach dated 1/17/07
 - The TJX "IMPORTANT CUSTOMER ALERT" dated 2/21/07
 - The original Information Week online article dated 1/17/07
 - "TJX profit down sharply on breach costs" reported by CNNMoney on 8/14/07
 - The recent Boston Globe story reporting Yastremskiy arrest dated 8/21/07
 - Massachusetts Bankers Association class-action lawsuit announcement dated 4/24/07
 - FTC Notice of Proposed Routine Use; Request for Public Comment, Privacy Act of 1974; System of Records: FTC File No. P072104
And here is the rest of it. Read more!

Mystery Credit Card Cancellations

Information Security

This article raises more questions for me than it answers. I am referring to the article written by Stewart Carter, editor of The eCommerce Report titled "Visa confirms data tapes theft". I am assuming that this article is credible.

Data tapes containing "card data" were stolen in late May, 2007. Visa International has confirmed that "an investigation into the theft of data tapes on May 25 is ongoing and therefore we cannot comment further on this matter". Dead end.

On July 19th, the Sydney Morning Herald reported that Westpac (a large Pacific Rim bank) was cancelling Visa cards en mass. On July 24th, ZDNet reported that Virgin Money (Westpac's card partner) was cancelling MasterCard credit cards. It is unclear why Westpac and Virgin Money are cancelling so many credit cards.

Jane Counsel, Westpac’s senior media relations manager did respond to the eCommerce Report's inquiries by stating "…[T]he card data compromise which has impacted Westpac and Virgin cards relates to transactions that have occurred with a third party vendor who uses a payment gateway provided by one of the other major banks…”. "A third party vendor"??? Who?

It is clear from the article that none of the organizations involved want to take an responsibility into what could be a very significant breach. Stay tuned, as I am sure this story is far from over.

But, then again I wonder if this news is credible. I looked for both the Sydney Morning Herald and the ZDNet articles and couldn't find either. Please post them if you can find them.

Read more!

107,000 More Records Compromised

Information Security

This time it's 27,000 names, addresses, and credit cards numbers lost by Kingston Technology Company and 80,000 names, addresses, and social security numbers lost by the Louisiana Board of Regents.

Kingston Technology (27,000)
Wouldn't you know it, there is no mention of this breach anywhere on Kingston's homepage.

Apparently the data was taken through unauthorized access of purchase information made at www.shop.kingston.com. What makes this interesting is that this breach supposedly happened in September, 2005 but went undetected until "recently".

Who is the victim?
"After confirming what data was accessed and who was affected, Kingston had to gather the appropriate contact information and arrange for consumer protection services and materials to notify the impacted consumers," the spokesman said.

Sound Familiar?
"The note added that, for the moment at least, there is no evidence that the illegally accessed data has been misused"

Kingston has an impressive track record of protecting information, and I get the feeling that they will only improve.

News: Computerworld
Letter to the New Hampshire Attorney General

Louisiana Board of Regents (80,000)
The Louisiana Board of Regents has a link on their homepage to some additional details.

I have to admit, this one has me a little miffed! I do not like how the data was compromised, how long it took to detect it, or the official Board of Regents (BOR) response.

The Compromise
A student found/stumbled on the data using Google. The student found a database of student names and 150 other files that he claimed contain up to 75,000 more names of students and employees. This information was accessible from the Internet without any protection whatsoever. According to BOR:

Groups Potentially Affected

Any student who was enrolled in the 10th grade at a Louisiana public high school and took the EPAS (Educational Planning and Assessment) Plan test between 2001 and 2003.
Any Louisiana public college or university faculty or staff member who was employed in either 2000 or 2001.

It is unclear how long the data may have been exposed, but it may have been "as long as two years".

The Response
The official response leaves something to be desired, for sure! Basically, all the BOR seems to have done is make the data inaccessible and offer some tips for those who may have been affected. How about STOP USING SOCIAL SECURITY NUMBERS AS IDENTIFICATION!!!

While researching this incident, I found a document titled "File Layout STS Student Transcript System". Data Element Name: State Identification Number --> Social Security Number, if available. Otherwise, a temporary number assigned according to LDE guidelines.

News: WDSU News Channel 6
Read more!

Western Union Breach

Western Union Breach

Western Union admitted that personal data on as many as 20,000 customers was compromised due to a poorly secured database accessed by “hackers”. Names, addresses, phone numbers, and credit card information is all among the data stolen in the heist.

I looked around the Internet for an official response from Western Union and found nothing. I did notice something ironic on their homepage, http://www.westerunion.com/ though.

The section labeled “Protect Yourself from Fraud” immediately caught my eye. I guess one thing you could do is not do business with Western Union, but this won’t help you much if you are already one of the unfortunate victims!

The “Standard” Response
There seems to be some “standard” responses amongst companies that are losing data belonging to their customers. Mind you it is easy to play “Monday morning quarterback” with security breaches, but honest public disclosure, tangible assurance and change, and open communication with my customers would be near the top of my response list.

Standard Response #1:
“We are not aware of any ID theft or any kind of fraudulent use that was made from this information.” This sounds eerily familiar. Certegy responded to their recent 2.3 million record breach with “No Fraudulent Activity or Identity Theft Detected” in their press release. To be honest this means nothing to me. Just because the company has not detected any fraudulent activity does not mean that none has occurred or that none will in the future as a result of the disclosure.

Standard Response #2:
“It (Western Union) also offered to pay for one year of credit monitoring to affected customers.” From the letter sent to the victims of the Pfizer breach (17,000 victims) “support and protection package includes a credit monitoring program for one year.” I do like how Pfizer has responded although there are rumblings that they took too long to notify victims.

Western Union Breach
As I stated earlier, I still cannot find any “official” response from Western Union so it is hard to comment on their response. Among the things I would like to know are how the vulnerable database was accessed, what is Western Union doing to prevent future breaches, and any other information that can help me as a consumer feel confident that they take the security of my data seriously. The Certegy breach was a case of a criminal DBA, is this a case of an DBA with poor skills?

Content for this article refers to information originally reported by the New York Post, here.
Western Union has been in the news for a security breach before.

Feel free to comment!

Read more!

When a DBA goes bad

Certegy Breach

What happens when a DBA goes bad? In the recent case involving Certegy Check Services (a Fidelity National Information Services), the confidentiality of 2.3 million consumer records containing credit card, bank account, and other personal information is compromised.

In the July 3rd press release:

“Fidelity National Information Services Announces Misappropriation of Consumer Data by Employee of Certegy Check Services Division

Data sold to Marketing Solicitation Companies;
No Fraudulent Activity of Identity Theft Detected”

The data was stolen and subsequently sold to data brokers by a high-level DBA at Certegy who was entrusted with defining and enforcing data-access rights. The DBA; a guy named William Sullivan also allegedly owns a side-business named S&S Computer Services in Largo Florida. Allegedly, Mr. Sullivan took the data out of the building "via physical processes" not by transmission.

How does a business protect itself (and customers)?
I can think of two things right off the bat; extensive employee screening for employees with access to sensitive information and segregation of duty.

Employee Screening
Obviously employee screening does very little to protect against someone who has never been caught or someone who goes bad after being hired, but it is a good precaution nonetheless. I would be surprised if this was the first thing that Mr. Sullivan had ever stolen or if this was the first time he had done something unethical if not illegal. Perhaps he would have been screened out, perhaps not. Screening is only one layer of defense.

Segregation of Duty
DBAs are very powerful people in most companies. A DBA typically has access to vast amounts of very sensitive data, defines who else can access the data, and also audits who has accessed the data! Bad news. As security professionals, we should never accept a single entity with all three of these rights. There are good products in the marketplace to audit what DBAs do. Any company storing sensitive (and/or regulated) data would do well to have their security personnel look into these products.

Certegy
Although Certegy assures the public that no fraudulent activity has been detected with any of the personal information that was disclosed, there is essentially no effective way to prevent such things. Once confidential data is disclosed to unauthorized individuals, confidentiality can no longer be assured in any tangible manner. The best thing Certegy can do is take steps to ensure that this will not happen again and disclose to its customers what these steps are.

Certegy's Actions (thus far)

Certegy has filed suit against Mr. Sullivan in the case of Certegy Check Services Inc. v. William Sullivan, No. 076271CI13, Circuit Court, Pinellas County, Florida (St. Petersburg.)

NOTE: This really does nothing to protect the victims (consumers) and will do little to remedy the situation other than make people feel better that someone pays a price.

Certegy is implementing a fraud watch associated with the stolen records, and has notified credit-reporting agencies TransUnion, Equifax and Experian of the incident.

NOTE: TransUnion, Equifax, and Experian are three of the BIGGEST data brokers in the world! I would not trust them to do too much other than alert after the fact.

From Renz Nichols, president of Certegy Check Services "It's a reminder that the best security systems are not immune to rogue employees." I agree with Mr. Nichols in the respect that you cannot stop all rogue employees, but I think you can certainly do more to detect them.

Read more!