During the holiday season, I was discussing with friends and family about some of the high profile breaches as of late. As I discussed in my December blog post, data breaches are on a roll that shows absolutely no signs of slowing down. While we’ve yet to see anything of Snowden proportions in the first month of 2014, recent revelations about major data breaches during the holiday retail season tangibly underscored how vulnerable consumer data can be, even in the hands of very large and reputable retailers.
Now, while I appreciate the free credit monitoring that Target is offering to customers, I would rather see Target implement a multi-layered security approach that works from the “inside out,” putting the first line of protection around the data itself. When the breach first broke, it looked as though the total loss was 50 million sets of credit card data. For this, the hackers used a RAM scraper to get access to the information on credit cards’ magnetic strips. PCI compliance only requires end-to-end encryption, so valuable data can remain exposed at endpoints. A bit later, it was also disclosed that another 60 million records were compromised, including email accounts, addresses, and more. The kind of information found in databases and other back end systems. American credit cards are worth 50 cents each on the black market, so stealing credit card data becomes a lucrative business pretty quickly … not to mention when you can steal 110 million of them.
And, if you think that credit card breaches are just a plague upon high-volume low-end retailers, think again. The Rolls Royce of department stores, Neiman Marcus, revealed that hackers recently compromised 1.1 million credit and debit cards of its clientele. It appears as though that particular breach occurred because malware was installed in the terminals. As my colleague Sol Cates talked about earlier this week, the malware now coming into view is angrier, smarter and tougher. This means that traditional malware prevention methods are becoming less and less effective, which makes putting encryption as close to the data as possible a business imperative for every major retail brand.
But, as recent headlines around the world show, it’s not just retailers, who need to address the problem. A lone hacker working for 11 months as a Korea Credit Bureau contract technician in the fraud detection department leaked data from some 105 million South Korean accounts, including names, credit card and bank details, passport numbers and contact information. Ironically, this contractor was hired to improve the credit bureau’s security. Since the contractor could see the data in clear text, he was able to download the data, put it on a portable disk and sell it. Not exactly Edward Snowden, but hugely damaging to the Korea Credit Bureau and a cautionary tale about the risks of having privileged users who can access sensitive information in the clear.
And Europe is hardly immune either. UK-based travel insurance provider Staysure had sensitive credit card data for just under 100,000 customers stolen this month. The card numbers themselves were encrypted, but the CVV codes and the other customer data was not. (It’s worth pointing out that PCI DSS does not allow vendors to store CVV numbers.) In this case, Staysure was not meeting the basic compliance standard, but if we’ve learned anything from Target and Neiman Marcus, it’s that compliance does not equal security.
In our increasingly interconnected world, data breaches will continue to cause major headaches for companies in virtually every industry. In fact, according to our 2013 Insider Threat Report, a whopping 73% of organizations fail to block privileged user access. The gains are just too lucrative for the criminals to ignore. Unfortunately, data cannot defend itself, so companies around the globe will have to take an “inside out” approach to protecting their sensitive data — and with it their brand integrity.