Hiding the Truth About Breaches
Despite increased attention and publicity being given to reports of identity related data thefts and losses from American (and now global) companies, including legislation to force the notification of individuals affected, sometimes the true extent of a breach does not surface for some time after the initial disclosure.
When retailer TJX was hacked into they reported that just more than 45 million credit card records that had been affected over the period of a year and a half. This marked the largest data security loss to date, but things were only going to get worse for the company. Different to most recent reported disclosures (theft of systems or loss of backup tapes), the TJX loss was the result of a direct attack against their backend systems, so it was possible that the attackers had access to more information than was initially let on.
That now seems to be the case, with TJX acknowledging that data on more than 100 million accounts was compromised as part of the ongoing attack. With indications that the attack was a targeted effort (i.e. not the result of someone casually looking for a loophole), many are concerned that a lot of these records will be headed for criminal use in the near future. Attackers were believed to have first gained access through weakly configured wireless access points (using only WEP as security), and data from the attacks has already begun surfacing in criminal hands across the US and the globe. With more than 80 GB of data having been tracked leaving the TJX network via high speed connections, there are concerns about the quantity of data that was not tracked but which still left the network.
Making matters worse was evidence of a network sniffer having been installed on the TJX network by the attackers, allowing capture of credit card data passing across the TJX network - data that was being passed in the clear. Having failed on nine out of twelve major assessment areas for PCI compliance, perhaps this painful lesson for TJX will be a wakeup call for other companies to take greater care with their Information Security needs - failure to pay adequate attention to those needs may result in calamitous results. With IT budgets seemingly never big enough and Information Security only a subset of that budget, companies really need to be sure that they are devoting the right level of resources to achieve the results that they need to (though, if Gartner is to be believed, this is something that won't generate appropriate results, even with proper budgets - something that not all people agree with).
29 October 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.