Entries tagged with “Data Security”.


A major national insurance company announced this week that its network had been compromised and more than 1 million customer records were stolen. Among the data included in the breach are “people’s names and a combination of Social Security numbers, driver’s license numbers, their date of birth, and possibly marital status, gender, and occupation, as well as the names and addresses of employers.”  A company spokesperson said that there is no evidence that credit card information or medical information was involved in the breach.  Affected individuals are being notified and offered free credit monitoring services.

It is interesting to note that this is the latest compromise in which sensitive personal information was stolen, while credit card data seems not have been involved.  A few months ago, South Carolina had a similar type of incident in which social security and banking information was compromised, while the encrypted cardholder data remained secure.  Now, I don’t have any details or knowledge of these events outside what is printed in the releases or articles, but it does leave me thinking of a very important reminder: PCI DSS only addresses cardholder data, not any other sensitive personal information.  Birth dates, routing numbers, social security numbers and other sensitive are left out in the cold with respect to PCI DSS, though they merit just as much, if not more, protection than cardholder data.

PCI DSS only applies to cardholder data.  It provides a baseline of protection for credit and debit card information.  Nowhere in its requirements does the PCI DSS require companies to protect social security numbers, bank routing information, birthdates or any other sensitive information.  Many companies take great pains to comply with PCI DSS and the standard has done a lot of positive things for an industry that desperately needed to implement strong security.  However, simply being PCI DSS compliant does not mean that all the sensitive data in an organization’s environment is protected.  A serious obstacle to overall security arises when companies believe that compliance with PCI DSS equates to security.

PCI DSS provides a good launching point for security initiatives.  Many of the requirements contained in the standards are best practices (if not requirements) for other types of data, as well.  It is tempting, particularly with so much focus on compliance, to focus on PCI DSS and cardholder data to the exclusion of everything else.  It’s important to remember, though, that companies have many types of data in their networks.  Companies would be well-served to conduct a data inventory, find out what they really need and what they don’t need to keep.  If it is needed, then it should be adequately protected. If it is not needed, it shouldn’t be stored.  Excess data is excess liability.

“The times are tough now, just getting tougher  - This old world is rough, it’s just getting rougher - Cover me, come on baby, cover me” – Bruce Springsteen 1984

Businesses work very hard to build their brand.   Small businesses are no different.  Establishing trust and loyalty among the customer base is essential to the longevity of any business.  Many companies focus on marketing and sales relationships to ensure that connection between customer and company continues to grow.  Social media, direct mailings, radio and tv advertising, print advertising, and data security and privacy policies all contribute to the growth of brand trust.  What a minute!  Did I say data security and privacy policies?  You betcha!  This is what I like to refer to as “brand security.”  Businesses spend an inordinate amount of time and money on establishing a brand that customers trust.  One of the fastest ways to lose that trust is to suffer a data security breach or to violate customer privacy.  For that reason, I often refer to data security and privacy programs as “brand cover.”

I’m going to borrow heavily, and probably poorly, from law enforcement and military actions here.  When you go into action, you generally have a forward team and then you have a team that provides “cover.”  This team keeps an eye out for threats that may not be visible or apparent to the forward team, but pose significant risk.  In the business world, one can think of your sales and marketing efforts as the forward team, while data security and privacy programs provide the cover.  You marketing and sales efforts move the company forward and increase awareness.  Your data security and privacy programs help to mitigate unseen, and sometimes unknown, risks to your brand’s integrity.  In fact, some larger organizations, particularly not-for-profits, are more concerned about brand damage in the event of a security or privacy compromise, than they are the fines that may be associated.

For small businesses, implementing and enforcing data security and privacy policies can seem daunting.  The Better Business Bureau, though, has put together a primer for businesses to help them develop these programs.  If you accept debit and credit card transactions, you can look for services to help minimize how much of that sensitive payment data your business stores.  You can also undertake an inventory to see just what data you are collecting and storing and how you are protecting it.  You can also evaluate the partners that you use and how you share data with them. Understanding your data can ultimately serve as a very effective means of protecting your company, your brand, and your customers.

Barnes and Noble has reported that PIN entry devices in dozens of its stores have been hacked.  According to the company, one device in each of 63 different stores  had been compromised. The company said that its website and purchase made on the Nook were not impacted by the breach.    Reports indicate that the stores involved in the compromise were located in California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania and Rhode Island. B&N is working with banks to notify affected customers.    The company acted swiftly in disconnecting the devices in all of its more than 700 stores once the breach was discovered. Further, the company altered the process for using a card to a more secure method.  Rather than swiping the card, the consumer will now hand the cashier the card to be swiped, a process the company believes to be more secure.

There are two security issues at play here. The first is the question of physical security.  How many times have you walked into a grocery store, or any store for that matter, and used the PIN pad device without the assistance of the clerk?  While that certainly adds convenience, it can also introduce risk.  The following video demonstrates just how easy it can be to compromise a PIN pad machine.

As you can see, without the proper physical security, attaching a skimming device or tampering with the machine can take just a matter of seconds. If you are accepting cards it is vitally important to think about the physical security of the data, as well as the technical security.  If you use a mobile device, ensure that it is with you at all times.  If it is not with you, it should be locked in a secured location.  If you are using a Point of Sale solution or a PIN pad device, make sure that it is secured to the counter and that you can tell whether or not the device has been altered.  In the video above, the clerk noticed that machine had been tampered with and was able to prevent the theft of data.

The second issue at play here is the technical aspect of security.  This is of particular consequence, because thieves that are able to access full card data can make counterfeit cards and the volume of fraudulent transactions increases significantly.  To counter this, the PCI SSC has drafted a number of documents specifically aimed at protecting PIN pad devices.  You can find all of the PCI SSC security documents on the Library section of their website.

Security of transaction data is not an “online only” problem.  Thieves are able to extrapolate physical theft into credit card fraud.  That means the physical instruments that we use to accept credit card transactions must be afforded the same level of protection as the systems in which we store that data (e.g. databases or POS applications).

Pardon the pun, but it seems that another day brings us news of yet another data breach.  In this instance, Northwest Florida State College has suffered a network breach that resulted in the compromise of an estimated 200,000 student records dating from 2005-2007.  As first reported, the compromise was believed to have been isolated to college employees, with even the president of the school reporting identity theft.  What’s worse, is that it seems the data thieves are not being shy about parlaying the theft of data into all out identity theft and larceny.  In fact, more than 100 employees have reported withdrawals from their bank accounts.   According to college president Dr. Ty Handy, “The more common mechanism is to go through a loan company and to secure a loan and to have that loan payment come directly out of the bank account…That’s how I was hit.”

This compromise is, in many ways, worse than having one’s credit card compromised.  In this instance, stolen data included social security numbers, banking information, and birth dates.  This is not just enough information to max out a credit card, but to access bank accounts and even to establish new lines of credit.  The question that comes top of mind as a result is, how should consumers (or even businesses) protect themselves against this type of attack.  There are a few ways to do so, some of them more onerous than others.

1) Monitor financial accounts - this step is something that is, surprisingly, often overlooked.  However, keeping an eye out for odd looking transactions can help to identify this type of theft and allow you to take action quickly.  Thieves and fraudsters bank (often literally) on the idea that their victims aren’t paying close attention.  So they run “test” transactions to see if they can get away with it.  Sometimes, thieves will hold data for more than a year before testing it, just to lull the victim into a sense of security.

2) Place a credit freeze - a credit freeze allows you to control third party access to your credit.  If a lender cannot access your credit history, then they cannot extend a line of credit.  If you are concerned about whether you might be a victim of a data compromise, or identity theft, this can be beneficial.  There are downsides, though.  Most notably. this can make it more difficult for you to open new lines of credit should you want or need to do so.  The credit freeze, which must be placed with each of the credit reporting agencies, remains in effect until you lift it.

For more information on how to detect and respond to identity or financial fraud, check out the Federal Trade Commission’s Identity Theft website.

October is National CyberSecurity Awareness Month (NCSAM).  This year marks the 9th year that the Department of Homeland Security, the National CyberSecurity Alliance, and the Multi-State Information Sharing and Analysis Center have sponsored a series of events designed to raise public awareness of cybersecurity issues.  This year, the overall theme of the month is “Our Shared Responsibility.”  The intent is to get everyone thinking about how he or she can protect data, not simply relying on businesses to do so.  According to the DHS, “Emerging cyber threats require engagement from the entire American community—from government and law enforcement to the private sector and most importantly, members of the public – to create a safer cyber environment.”

Each week, the DHS will focus on a different aspect of cybersecurity.  The first week focused on general awareness.  To do so, DHS has created a “Stop. Think. Connect™.” campaign.  The idea behind the campaign is to urge consumers to think about how their online actions could impact their privacy and the security of their own personal information.  The DHS website provides consumers with some tools and resources that can be used to increase the security of the online experience.

Week two, this week, focuses on law enforcement efforts to halt cybercrime.  This includes efforts on both the state and federal level to increase resources devoted to catching and prosecuting data thieves that target corporate networks. Importantly, though, it also includes efforts to stop criminals that are targeting consumers through “spearphishing” and social media fraud.

The third week will focus on industry efforts, such as the PCI DSS, to fight cybercrime and to ensure that consumer data is adequately protected. Cybersecurity is also a major concern of small business owners, who struggle to balance the risk associated with a data compromise, with limited resources.  The DHS has provided a list of resources for small business that are looking for help in managing their data protection and cybersecurity efforts.

The last week of NSCAM focuses again on education and awareness.  The twist here, though, is that the focus is on training the “next generation” of cybersecurity professionals.  It includes lesson plans for students in K-12 to help create a cultural and generational knowledge of cybersecurity.  In an era in which states are sponsoring and hiring cyber warfare agents, one can see how becoming a country with bountiful cybersecurity resources can help secure the future.