Last week, Albert Gonzalez was sentenced to 20 years in prison for his part in the hacking of more than 90 million credit and debit card numbers from TJ Maxx and other retailers. What makes this sentence unique is that it fits the severity of the crime. Gonzalez and his conspirators went after financial data with the intent to use it fraudulently. His knowledge of enterprise network weaknesses and how to exploit them made him no different from a common bank robber who plans a heist. Unlike the common bank robber, however, Gonzalez had technology that shielded his involvement and made him anonymous – allowing him to rob remotely.
We can expect these types of attacks to continue, given the potential reward. With many of the perpetrators geographically dispersed, nations need to have a no-tolerance policy toward this type of attack and be ready to do whatever it takes to bring the parties involved to justice. In the case of Gonzalez, the sentence is a good first step and should prove a deterrent.
Showing posts with label Credit Card breach. Show all posts
Showing posts with label Credit Card breach. Show all posts
Monday, 29 March 2010
Monday, 1 March 2010
Check-in to your hotel – and let hackers check-out with your credit card
According to reports, sometime between October 09 and January of this year, hackers broke into databases associated with the Wyndham Hotels and Resorts (WHR). This is the third time that the hotel chain has suffered a data breach within a year, and this time the hackers stole customer names and payment card information. What the hotel is saying through an open letter and associated FAQs creates more questions about how exactly this company is safeguarding all data and what rights (if any) customers have to knowledge of data theft affecting their accounts.
In its FAQs, the hotel states that guests who had stayed at a Wyndham hotel contacted the chain regarding fraudulent use of their cards. Based on this feedback, the hotel went back through its system and discovered the breach. In simple terms, the hotel was not aware of the breach until the data had been stolen and used fraudulently. It would seem that the next logical step that the chain would take would be to notify all of the owners of the compromised data, which the hotel has identified.
What Wyndham did instead is to inform the Secret Service and to provide the card information to the credit card companies, advising them to watch for suspicious activity. Wyndham claims that it does not have the addresses of the affected individuals so it cannot contact them. It would seem that the hotel chain is shifting the burden to the card companies and doing only what is legally required. The people who suffer are the customers, who need to check their bills for fraudulent charges or hope that the card companies are checking for suspicious activity. It would seem that every customer should have the right to know immediately if his / her data has been stolen.
As for the hotel’s mention of hiring a PCI firm to check the revised security, the hotel could very well have been PCI compliant at the time of the breach. PCI does not equal safe data.
In its FAQs, the hotel states that guests who had stayed at a Wyndham hotel contacted the chain regarding fraudulent use of their cards. Based on this feedback, the hotel went back through its system and discovered the breach. In simple terms, the hotel was not aware of the breach until the data had been stolen and used fraudulently. It would seem that the next logical step that the chain would take would be to notify all of the owners of the compromised data, which the hotel has identified.
What Wyndham did instead is to inform the Secret Service and to provide the card information to the credit card companies, advising them to watch for suspicious activity. Wyndham claims that it does not have the addresses of the affected individuals so it cannot contact them. It would seem that the hotel chain is shifting the burden to the card companies and doing only what is legally required. The people who suffer are the customers, who need to check their bills for fraudulent charges or hope that the card companies are checking for suspicious activity. It would seem that every customer should have the right to know immediately if his / her data has been stolen.
As for the hotel’s mention of hiring a PCI firm to check the revised security, the hotel could very well have been PCI compliant at the time of the breach. PCI does not equal safe data.
Friday, 24 July 2009
Alico: the company is always the last to know
Today, news is emerging of a credit card breach with the Japanese arm of global insurer Alico with the credit card data of approximately 110,000 customers affected. Of those affected, more than 1000 customers have seen fraudulent charges on their credit cards, and the credit card companies alerted Alico to the alleged theft.
An Alico spokesperson said that the company has yet to determine how the data could have been leaked. This statement and the fact that credit card companies alerted the company to the breach shows how difficult it can be to determine how a breach occurred, even if you know that one did occur.
This breach brings to mind RBS WorldPay and Heartland, in which customers saw fraudulent charges on their credit card bills before the companies realized they had been breached. As Alico looks for the source of the breach, we are also reminded that in this threat environment, personal data is constantly under attack. The link to criminal elements shows that these breaches are done with the express intent to grab personal financial data to be used fraudulently. In this type of situation, Alico is left playing “catch up” without the ability to stop additional damage to its customers, because their data has already been compromised. We hope that the company and all in the industry use this as a lesson as to the importance of knowing the location and status of their data at all times because it will always be an attractive target.
As they say, "an ounce of prevention is worth a pound of cure" -- now is the time to apply preventative measures to protect data.
An Alico spokesperson said that the company has yet to determine how the data could have been leaked. This statement and the fact that credit card companies alerted the company to the breach shows how difficult it can be to determine how a breach occurred, even if you know that one did occur.
This breach brings to mind RBS WorldPay and Heartland, in which customers saw fraudulent charges on their credit card bills before the companies realized they had been breached. As Alico looks for the source of the breach, we are also reminded that in this threat environment, personal data is constantly under attack. The link to criminal elements shows that these breaches are done with the express intent to grab personal financial data to be used fraudulently. In this type of situation, Alico is left playing “catch up” without the ability to stop additional damage to its customers, because their data has already been compromised. We hope that the company and all in the industry use this as a lesson as to the importance of knowing the location and status of their data at all times because it will always be an attractive target.
As they say, "an ounce of prevention is worth a pound of cure" -- now is the time to apply preventative measures to protect data.
Subscribe to:
Posts (Atom)
