2009 To Be The Year Of...
If 2009 is going to be the year of anything, it may as well be the year of data loss, which conveniently has also been every year for the last few years.
Around the time of the inauguration of President Obama, came news of what could be the largest single breach of credit card information to date. The potential scope of the breach is staggering. With around 100 million transactions a month passing through systems belonging to Heartland, and malware in place to capture that data for an unknown period of time, there could be an immense number of cards and details that have been breached as a result.
Names, numbers and expiration dates were the information claimed to have been compromised, but it is easy enough to clone fake cards from this data, and with a range of other data that should be readily available to professional data thieves, sufficient information to reconstitute the missing cardholder data (which, it is claimed, has not been compromised).
The choice of the inauguration day for disclosure of the breach is seen by some as a method to play down the importance of what took place, or even to avoid the negative press and significant attention that have followed major breaches in recent years, such as that which followed the TJ Maxx data breach. Why the information was not made public when Heartland were initially made aware of the problem in 2008 is not known, but it is bound to come to light in the inevitable law suits that will follow.
More than 250,000 businesses across the United States were supplying transaction information to Heartland processing systems. What this means for consumers is that it isn't really a matter of where they went shopping, with so many retailers potentially having had transaction data intercepted the risk of a customer having their data intercepted is much higher than if a single retailer or retail chain was compromised (such as happened with TJ Maxx).
Another reason why this case is gaining some attention is the claim that Heartland were assessed as PCI compliant. Whether that compliance was still valid at the time of the ongoing data interception hasn't been made clear, but it has already split the Information Security community into two camps. Many PCI supporters are rushing to defend the system against claims that it doesn't really achieve much by way of actual security.
PCI DSS falls into the same sort of general traps as ISO 17799:2005 and ISO 27001. It is great to be able to wave a certification in the air as part of marketing claims, but when it comes down to actual implementation and effective security, doing what is necessary to meet certification isn't going to do much to stop what is, undoubtedly in the case of a financial payments processor, a motivated attacker. It may even provide the attacker with a clearer picture as to what assumptions the company has made in achieving certification and what they may or may not be observing with their ongoing security posture.
If you're a supporter of PCI, or even if you're not, it is prudent to at least be cognizant that PCI isn't a be all for Information Security. It can be extremely useful, when properly applied and understood, but it should never be used as a crutch to claim effective security procedures are in place.
If some of the other cases (breaches of USAJobs.gov and Monster.com) to receive coverage this month can be looked at as bellwethers of the year ahead, then 2009 is going to be another year where the Information Security industry will continue to be playing catchup and there are going to be many more high profile cases of massive data loss and compromise.
27 January 2009
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.