Do you have a question? Post it now! No Registration Necessary. Now with pictures!
December 21, 2005, 3:05 am
rate this thread
Imagine the gut wrenching feeling when Guidance Software employees
discovered that their customer database information had been hacked and
nearly 4,000 credit card numbers stolen. That's bad enough, but these
aren't just any customers.
Guidance Software sells forensics tools and services. They, or their
tools, often provide evidence needed to prosecute hackers and their
products are highly regarded. Their customers aren't just your normal
customers either. Many are law enforcement agencies, such as the FBI,
Secret Service, New York Police Department, U.S. military, etc. Many
have now had their credit cards fraudulently charged tens of thousands
To make matters worse Guidance stored the customer records in
unencrypted databases and kept the records indefinitely. CCV (Card
Value Verification) numbers, meant to thwart thieves, were apparently
kept with the credit card numbers (which Visa and MasterCard don't
allow). The break in wasn't discovered for two weeks so the intruders
had plenty of time to run up large bills. To Guidance's credit once
they discovered the crime they notified law enforcement and their
customers almost immediately. But the damage was already done.
This break in is only one of many high profile cases this year.
LexisNexis admitted that hackers stole the credit card information of
more than 300,000 thousand consumers. The credit card processing
company CardSytems lost personal data from about 40 million customer
credit cards that were exposed. Several companies in recent years have
had tape backups with customer data disappear.
The lesson should be that there are no shortcuts to IT security. As
painful as it may be at first to do things correctly. encrypt sensitive
data, practice separation of duties, audit your security often, hire
outside companies to perform your penetration and vulnerability tests,
etc., etc. One incident like the ones described above can cause severe
damage to your company's reputation that can last for years.
New regulations such as Sarbanes-Oxley and HIPAA are meant to help
protect shareholders, consumers, patients, etc., are only effective if
management and IT departments take security compliance serious.
--- John Herron, CISSP