Tuesday 18 August 2009

The aftermath of the largest data breach ever

Two unseen computer users in Russia along with a colleague in Miami decide to set up a sting. They are after the millions of credit card numbers stored across retail servers. The US person does reconnaissance at the stores to see what type of protection they have. The team then cross-references this information with the types of protection reference on the companies’ web sites and starts a series of strategic attacks to gain entry to the networks using SQL injection, which exploits a vulnerability in the database layer. Once in, they place sniffers and malware on the network, capturing credit card data and sending it to servers in the US, the Netherlands and Ukraine. They communicate by IM, use proxy servers, and change their online identities frequently. Over the course of two years, they steal 130 million records, the majority of which is sold. What sounds like a hit summer movie is, in actuality, the detail outlined in an indictment released today in New York against the hackers who breached Heartland, among others.

If we look at this breach as a clever group of renegades, we are missing the point. These breaches show the value our financial data holds and how little control we ultimately have over it. Before we get dazzled by the locations, methods and number of credit cards hacked, we should ask why the data was not encrypted or did not have other protection mechanisms in place.

This type of defect is all too prevalent in the low quality IT systems in which we blindly give our trust. We can be sure that the biggest breach is yet to come!