Wednesday 21 January 2009

Retail Therapy

It is certainly shaping up to be a good week for TJX.

As the whole world enters a new era with the inauguration of US President Obama, TJX’s world view has improved in ways they would not have predicted a few months ago.

On one hand, the company holds its long-anticipated “Customer Appreciation Sale” to our appreciation to customers for their continued support and patronage following the criminal attack(s) announced on our computer systems two years ago (Their words). This event is part of their court settlement, linked to what was then the biggest ever data breach. They are offering a 15% discount off any purchases in their stores, apparently.

On the other hand, it seems their not-at-all-jealously-guarded record may well have been taken from them in the same week, with the colossal breach at Heartland Payment Systems, whose attempt at news management seems to have backfired. They have been castigated widely not only for the breach, but for their crass attempt to bury the news in Inauguration Day.

It’s a great week for TJX, then. They have the prospect of the security world switching its byword for a huge breach from “TJX” to “Heartland” at the same time as they get publicity for a 15% sale. Now I maybe a touch cynical, but in the current economic climate anyone who only gets a 15% discount off any High Street retailer is not really trying very hard.

But what does this tell us about lessons learned in IT security? Two years on from the TJX breach, an even bigger incident, sounding remarkably similar in nature from initial reports, hits the headlines. Both firms promised to invest heavily in new security straight after the event. Isn’t it time for increased corporate accountability? And isn’t PCI supposed to ensure we avoid events such as these?

We don’t know much yet about the details of the Heartland breach, but the ramifications have to extend beyond the company itself. In the meantime, while we wait for the details, let’s smile for TJX who are having a really good week.

Paul Davie

Billion Dollar Breach

The World’s First Billion Dollar Breach?

The Heartland breach could be ushering in the next wave of major criminal security breaches, targeting credit card processors, which deal with a much higher volume of stored credit card data than traditional retailers. Although the company has not indicated exactly how many records have been compromised, and they may not know, Heartland has acknowledged processing 100 million credit card transactions each month and other sources suggest as many cards may be at risk.

The cost for replacing a credit card is around $15, apparently. So, the breach at Heartland could cost credit card issuers $1.5 billion in replacement costs alone – ignoring the impact of any fraudulent transactions. Even if a much smaller fraction of the processed records was affected, the cost will still run into hundreds of millions of dollars. To put the cost into context: This is TJX on steroids.

The question is: who will end up paying these clean up costs? It seems unlikely Heartland will carry them all, though the breach occurred on their watch. Initially, the credit card companies bear most of the cost, but they will undoubtedly seek to pass these fees on to insurers, merchants and consumers alike.

At least Heartland is seeking to shut the door after the horse has bolted – a well-trodden security path. They claim to be implementing “a next-generation program designed to flag network anomalies in real-time” which is to be welcomed. Such new behavioural-based approaches are essential to spot the kind of sophisticated exploits which so easily defeat discredited signature-based systems.

Friday 16 January 2009

Finally Data Security matters enough to be National Policy

In the US this week, two seemingly unrelated news items point to the increasing importance of data security as a matter of national policy. The first is President-elect Obama’s choice for a Chief Technology Officer, and the second is the Pentagon’s move into cloud computing.

The Chief Technology Officer is a new role in the US government, and the job is getting a lot of press. It is still unclear whether US CTO will have policy setting ability and will oversee cyber-security, as rumors abound of an additional “Cyber-Security Tsar” in the White House. Having a CTO who cannot set policy and oversee national data protection would be devastatingly shortsighted.

The Pentagon’s move into cloud computing comes after the organization made a widely publicized move to ban all USB and portable storage devices. After making an historic attempt to protect is data, the Pentagon could now be placing its data at risk “in the cloud.”

Cloud computing is not secure by nature. Without additional protection from internal and external threats, the cloud environment could be very susceptible to breaches. This is because the environment is many times a “one-stop shop” for every piece of confidential organizational data.

What the CTO and Pentagon – and every organization for that matter, need to do is approach any initiative involving digital data with security as a first priority. The past year shows us the mistake of security as a last check-box item or an afterthought.

Monday 12 January 2009

Is data security an Inverse-Square law?

We are all taught at school that many physical processes follow an inverse-square law. For instance, the force of gravity between two masses becomes four times weaker if the distance between them doubles. Similarly, the electric force between two charges also obeys such a law. I am beginning to wonder whether the effectiveness of data security also diminishes with the distance the owner is from the data.

The report produced by PwC shows that the data protection habits of hundreds of financial services firms are deteriorating. Around a half of those companies surveyed said that the data hygiene required of their out-source providers was not at the same level that the companies require internally.

Although it seems that the effectiveness of data security diminishes if the data is outsourced, the original data owners believe otherwise. It is amazing that even without performing any due diligence around 80% of firms were “somewhat” or “very” confident in the security practices of their outsourcer.

How many links are there between the personally identifiable data you collect about customers and where it is held? Consider the SI who now owns and operates the data center. What about the data kept in the emerging “cloud”? Don’t forget to add an extra amount of “data distance” for where the backups are held.

What is the true effectiveness of the data security now?