According to reports, sometime between October 09 and January of this year, hackers broke into databases associated with the Wyndham Hotels and Resorts (WHR). This is the third time that the hotel chain has suffered a data breach within a year, and this time the hackers stole customer names and payment card information. What the hotel is saying through an open letter and associated FAQs creates more questions about how exactly this company is safeguarding all data and what rights (if any) customers have to knowledge of data theft affecting their accounts.
In its FAQs, the hotel states that guests who had stayed at a Wyndham hotel contacted the chain regarding fraudulent use of their cards. Based on this feedback, the hotel went back through its system and discovered the breach. In simple terms, the hotel was not aware of the breach until the data had been stolen and used fraudulently. It would seem that the next logical step that the chain would take would be to notify all of the owners of the compromised data, which the hotel has identified.
What Wyndham did instead is to inform the Secret Service and to provide the card information to the credit card companies, advising them to watch for suspicious activity. Wyndham claims that it does not have the addresses of the affected individuals so it cannot contact them. It would seem that the hotel chain is shifting the burden to the card companies and doing only what is legally required. The people who suffer are the customers, who need to check their bills for fraudulent charges or hope that the card companies are checking for suspicious activity. It would seem that every customer should have the right to know immediately if his / her data has been stolen.
As for the hotel’s mention of hiring a PCI firm to check the revised security, the hotel could very well have been PCI compliant at the time of the breach. PCI does not equal safe data.
Showing posts with label data security. Show all posts
Showing posts with label data security. Show all posts
Monday, 1 March 2010
Monday, 29 June 2009
The UK's cyberspace initiative
The creation of the cyber security operations unit by the British government is a necessary and positive step in combating all forms of cyber threats. We work and live in a world in which our most personal information has gone digital, and this initiative points to the importance of a centralized approach to protection, spanning citizens, government and industry.
There are also economic considerations that this initiative addresses. In the UK, for example, more than £50 billion is spent online every year and 90% of high street purchases are made using electronic transactions.
There will be much debate as to the validity of the threats and the forms that they will take; however, as members of the security industry, we know that these threats always have the ability to be more devastating and widespread than even popular imagination can dictate.
By placing the protection of "digital Britain" in the hands of the government, we are showing a united front against cyber-criminals, cyber-terrorists and the run of the mill hackers who pose a threat to our information systems and personal data. As we commend the government for taking this bold and necessary step, we would like to remind them of a lesson that industry has learned over the past few years: threats come from internal and external sources. So, a "defend the perimeter" approach will leave valuable assets unprotected.
The government should look at the threat matrix holistically, starting from the databases that hold information, to the individuals that access it, through the networks that carry the data, to the perimeter. This "ground-up" approach will ensure that we are well protected at every turn.
There are also economic considerations that this initiative addresses. In the UK, for example, more than £50 billion is spent online every year and 90% of high street purchases are made using electronic transactions.
There will be much debate as to the validity of the threats and the forms that they will take; however, as members of the security industry, we know that these threats always have the ability to be more devastating and widespread than even popular imagination can dictate.
By placing the protection of "digital Britain" in the hands of the government, we are showing a united front against cyber-criminals, cyber-terrorists and the run of the mill hackers who pose a threat to our information systems and personal data. As we commend the government for taking this bold and necessary step, we would like to remind them of a lesson that industry has learned over the past few years: threats come from internal and external sources. So, a "defend the perimeter" approach will leave valuable assets unprotected.
The government should look at the threat matrix holistically, starting from the databases that hold information, to the individuals that access it, through the networks that carry the data, to the perimeter. This "ground-up" approach will ensure that we are well protected at every turn.
Wednesday, 15 April 2009
The excitement builds towards the RSA Conference
It seems IT security people are turning their attention to next week’s RSA Conference, 20th - 24th April 2009, Moscone Centre, San Francisco. It is probably one of the premiere IT security trade-shows on the planet (Register here to attend).
Secerno will again be actively attending and you can visit us on stand 2259. For me, I have a busy schedule for the week.
First I have a McAfee partner presentation at the theater in the SIA Partner Pavilion (booth #1017). I will be talking about the challenges of data security and how the Secerno and McAfee integration provides a compelling solution.
Later in the same day I am a member of the panel “In The Cloud or on the Desktop? Expert Views of Data Security Trends”. The panel moderator is Dr. Larry Ponemon, Founder, Ponemon Institute and he is supported by an interesting group of panelists: Eva Chen, Trend Micro CEO; Mary Ann Davidson, CSO Oracle; Renee Guttman, CISO Time Warner; and myself, Dr. Steve Moyle, CTO Secerno. There are some lively personalities on the panel, so if the session is even half as interesting as our pre-conference calls, then the audience will be educated and entertained. The Session ID is HOT-107 and will start at 16:10 PST.
Finally, I have a presentation “Beyond Regular Expressions: the Future of Data Protection” on Wednesday 22nd April at 08:00 PST. This is a Network session and I will be driving home, using practical examples, why it is that security founded on regular expression signatures is a technological blind alley. Even more compelling are the mathematical foundations that prove why application languages (like SQL and JavaScript) can never be defended using regular languages (Iike regular expressions). If you want to find out more, feel free to attend Session ID: NET-201.
If you are at the RSA Conference feel free to come and say hello.
Secerno will again be actively attending and you can visit us on stand 2259. For me, I have a busy schedule for the week.
First I have a McAfee partner presentation at the theater in the SIA Partner Pavilion (booth #1017). I will be talking about the challenges of data security and how the Secerno and McAfee integration provides a compelling solution.
Later in the same day I am a member of the panel “In The Cloud or on the Desktop? Expert Views of Data Security Trends”. The panel moderator is Dr. Larry Ponemon, Founder, Ponemon Institute and he is supported by an interesting group of panelists: Eva Chen, Trend Micro CEO; Mary Ann Davidson, CSO Oracle; Renee Guttman, CISO Time Warner; and myself, Dr. Steve Moyle, CTO Secerno. There are some lively personalities on the panel, so if the session is even half as interesting as our pre-conference calls, then the audience will be educated and entertained. The Session ID is HOT-107 and will start at 16:10 PST.
Finally, I have a presentation “Beyond Regular Expressions: the Future of Data Protection” on Wednesday 22nd April at 08:00 PST. This is a Network session and I will be driving home, using practical examples, why it is that security founded on regular expression signatures is a technological blind alley. Even more compelling are the mathematical foundations that prove why application languages (like SQL and JavaScript) can never be defended using regular languages (Iike regular expressions). If you want to find out more, feel free to attend Session ID: NET-201.
If you are at the RSA Conference feel free to come and say hello.
Wednesday, 21 January 2009
Billion Dollar Breach
The World’s First Billion Dollar Breach?
The Heartland breach could be ushering in the next wave of major criminal security breaches, targeting credit card processors, which deal with a much higher volume of stored credit card data than traditional retailers. Although the company has not indicated exactly how many records have been compromised, and they may not know, Heartland has acknowledged processing 100 million credit card transactions each month and other sources suggest as many cards may be at risk.
The cost for replacing a credit card is around $15, apparently. So, the breach at Heartland could cost credit card issuers $1.5 billion in replacement costs alone – ignoring the impact of any fraudulent transactions. Even if a much smaller fraction of the processed records was affected, the cost will still run into hundreds of millions of dollars. To put the cost into context: This is TJX on steroids.
The question is: who will end up paying these clean up costs? It seems unlikely Heartland will carry them all, though the breach occurred on their watch. Initially, the credit card companies bear most of the cost, but they will undoubtedly seek to pass these fees on to insurers, merchants and consumers alike.
At least Heartland is seeking to shut the door after the horse has bolted – a well-trodden security path. They claim to be implementing “a next-generation program designed to flag network anomalies in real-time” which is to be welcomed. Such new behavioural-based approaches are essential to spot the kind of sophisticated exploits which so easily defeat discredited signature-based systems.
Subscribe to:
Posts (Atom)
