So, the New Year started with a yet another story of failed data protection here in the UK. Though the actual attack happened a few months ago, details about the data breach at travel insurer, Staysure, painted a rather unsettling picture of lax security procedures – particularly with regard to something as sensitive as payment card data.
Apparently, while the stolen card details were encrypted, the CVV numbers had no such protection and, as a result, were left wide open to the bad guys. The long arm of standards like PCI DSS – which coincidently prohibits the storing of CVV numbers – may console some of the affected customers in that it can penalise the businesses that fail to comply. However, as we at Vormetric know all too well, compliance does not equal security.
Turning to the other side of the Atlantic, the reports of a swathe of data breaches at eminent retailers has also done little to banish the January blues. First, more details are emerging about the Target data breach incident regarding RAM scraping and losses from databases, and is not thought to have affected some 70 million customers. Interestingly, the latest news is that the merchant is to invest $5m in a cyber security education campaign, suggesting that a social engineering campaign, like a phishing attack, was at the root of this attacker getting his/her/their hands on the retailer’s database.
Unfortunately, the data breach round-up doesn’t end there! Customers of luxury retailer Neiman Marcus were also affected by a breach in the run up to Christmas. A coincidence of timing, perhaps? But that will matter little to the now millions of shoppers whose sensitive credit card data and other information is now in the hands of nameless, faceless cyber-criminals. Late news is also that this may extend beyond Target and Neiman Marcus to an additional three US retailers as well.
Once again we are reminded that it just isn’t enough to build a wall around your database, as hackers know that data the held within cannot defend itself. The truth is, we must completely rethink our approach to security, as our most valued asset is often the least protected – essentially, data is just a sitting duck as soon as the network perimeter is compromised.
If you haven’t made your New Year’s resolution just yet, then maybe this should be it: data-centric security.