Even Schneier agrees: “It’s all in the database”

It’s official -- credit card security is no longer simply about WWII style “encryption” defenses, “it’s all in the database”. So says the information security industry’s “rock-star” Bruce Schneier. Bruce was being interviewed at this year’s RSA conference and was asked about the confidence of online shopping now that some “doubts” have arisen over the SSL encryption.

True to form, Schneier went straight to the heart of the matter stating that the problem is not about “eavesdropping” but rather it is about hacking the “endpoint”. It is clear that the database is the endpoint holding the potent information – including credit card information – and this remains the lucrative target for hacking.

Too many easy routes to the database exist – usually due to poor practice. Attackers who compromise databases get more than the data held inside. They get a completely privileged jump-off-point, deep within the corporate network. This is what Heartland discovered –after 130 million card details left. I am sure that they would suggest agree with Bruce that “It’s all in the database” – except when a complete copy has escaped!

Check-in to your hotel – and let hackers check-out with your credit card

According to reports, sometime between October 09 and January of this year, hackers broke into databases associated with the Wyndham Hotels and Resorts (WHR). This is the third time that the hotel chain has suffered a data breach within a year, and this time the hackers stole customer names and payment card information. What the hotel is saying through an open letter and associated FAQs creates more questions about how exactly this company is safeguarding all data and what rights (if any) customers have to knowledge of data theft affecting their accounts.

In its FAQs, the hotel states that guests who had stayed at a Wyndham hotel contacted the chain regarding fraudulent use of their cards. Based on this feedback, the hotel went back through its system and discovered the breach. In simple terms, the hotel was not aware of the breach until the data had been stolen and used fraudulently. It would seem that the next logical step that the chain would take would be to notify all of the owners of the compromised data, which the hotel has identified.

What Wyndham did instead is to inform the Secret Service and to provide the card information to the credit card companies, advising them to watch for suspicious activity. Wyndham claims that it does not have the addresses of the affected individuals so it cannot contact them. It would seem that the hotel chain is shifting the burden to the card companies and doing only what is legally required. The people who suffer are the customers, who need to check their bills for fraudulent charges or hope that the card companies are checking for suspicious activity. It would seem that every customer should have the right to know immediately if his / her data has been stolen.

As for the hotel’s mention of hiring a PCI firm to check the revised security, the hotel could very well have been PCI compliant at the time of the breach. PCI does not equal safe data.

The lessons from the Kaiser Permanente breach

Last year, a data breach involving close to 30,000 Kaiser Permanente employees in California was discovered when the suspect’s home was searched for unrelated reasons and authorities found evidence that the data of Kaiser employees had been stolen. The evidence came in the form of dozens of driver’s licenses and credit cards in the names of the Kaiser Permanente victims, whose addresses, date of birth, and social security numbers had been included in the data stolen. Much has been made of the items the suspect allegedly purchased using the stolen data, which included designer dogs and gift cards to expensive stores. The real news item for those in the security industry is how the data was obtained, how easily it was shared, and the inexplicable lapse in time between when the data theft was discovered and the suspect was stopped.

The main suspect in the data theft ring worked for a third-party that had access to the Kaiser employee files. When a third-party has access to confidential data, the risks to that data rise considerably. In the case of Kaiser, the employee information was allegedly downloaded and distributed in a file that was only 17 megabytes in size and, therefore, easy to transport and share. From there, the data was used to obtain driver’s licenses, credit cards and other items.

To put this case in perspective, the breach occurred in 2007, the theft was discovered in 2008 during an unrelated search of the suspects’ home. Kaiser employees were notified in February 2009. For a number of reasons, including the suspect’s being involved in multiple crimes and numerous law enforcement offices’ being involved, the suspect continued to use the data until February of this year. Kaiser offered the employees a one-year credit monitoring package for one year – 2009 until 2010. Since the suspect was using the data as recently as this month, those who suspect that they have been affected will need to continue to monitor their credit.

This case shows the need for a unified investigative process and ownership among law enforcement, the importance of knowing what data is being accessed and by whom at the corporate level, and the need for accountability when a data theft occurs. Next month, we will see the Massachusetts Data Privacy Law go into effect, mandating that any entity that stores or transmits residents’ personal information encrypt the data when it is stored on personal devices or transmitted over the Internet. This is a great first step in what will become an international drive to protect individual data.