Jaime Chanaga, CISSP, CISA

Three people have been indicted of hacking into cash register terminals at Dave & Buster's Inc. restaurants.  The U.S. Department of Justice has confirmed in a 27 page indictment against the three individuals who allegedly installed a "packet sniffer", software designed to intercept network communications between computers to capture credit card details while being transmitted from the cash registers to the credit card processors and banks.

With so much emphasis being placed on protecting credit card holder information, why don't companies invest in more stringent network access controls and data centric security measures?

Three accused of hacking Dave & Buster's computers
http://www.reuters.com/article/domesticNews/idUSN1230887420080512

International Hackers Indicted for Sniffing Credit Cards from Dave & Busters
http://blog.wired.com/27bstroke6/2008/05/international-h.html

Tenet Healthcare Corporation (NYSE: THC) has mailed letters to 40,000 patients at 54 hospitals nationwide that their personal information including social security numbers may have been stolen by an ex-employee, Terrance Brooks, at Tenet's billing center in Frisco, Texas. 

Terrance Brooks, convicted of this identity theft crime had access to Tenet's billing systems which stored patient's personal data including birth data and social security numbers.  According to some news reports, the Brooks was arrested on November 25 after attempting to open a credit card account at a Costco store.  In his possession were data records on 90 patients.  Tenet called those patients immediately and has taken the precautionary step of informing the 40,000 patients who's data could have been accessed by Brooks during his employment.

No company can prevent 100% of insider attacks on their information systems or data by employees.  However, companies can do more and increase their employee education, monitoring, and implement stronger policies and controls to ensure that these types of incidents are minimized.

South Florida Sun-Sentinel
http://www.sun-sentinel.com/news/local/palmbeach/sfl-flpfraud0214sbfeb14,0,42801.story

Darkreading
http://www.darkreading.com/document.asp?doc_id=146095

Google, Inc. (NASDAQ: GOOG) announced (http://www.google.com/intl/en/press/pressrel/20080205_securityservices.html) several new security services for e-mail powered by Postini™. The new services provide inbound and outbound message filtering, encryption, and message archiving capabilities for business.

Services start at $3 per user per year.  Providing enterprise level security products at affordable prices for small businesses is a major benefit of these service offerings by Google. 

For more information see: http://www.google.com/a/security

ChoicePoint Inc. (NYSE: CPS) is paying $10 million to settle a class-action lawsuit related to a data breach incident from 2005.   In the related data breach, the personal information of 160,000 consumers was put at risk. 

The $10 million payment if approved by the U.S. District Court in Georgia, would settle the lawsuit brought by shareholders against named defendants ChoicePoint and certain of its officers.  As part of the settlement, ChoicePoint will admit no liability in the data breach incident.

Score one for big business and shareholders.  However, consumers today still don't have comprehensive federal legislation to protect their data privacy allow impose stiff financial penalties on companies that put their personal information at risk.

Computerworld
http://computerworld.com/action/article.do?command=printArticleBasic&articleId=9059659

GE Money USA, a company that provides credit card processing services for retailers, has suffered a data breach potentially affecting the credit card details for approximately 650,000 consumers.  A backup tape has been missing since October from an Iron Mountain Inc. (NYSE: IRM) secure storage facility.

GE Money has publicly only identified one retailer, J.C. Penny Co. (NYSE: JCP) as being one of the affected retailers whose data was compromised on the lost backup tape.   In addition GE Money has stated that approximately 150,000 social security numbers for customers of retailers were stored on the backup tape.

GE Money is providing free credit monitoring for one year to those consumers affected and has informed consumers via letters mailed starting in early December 2007.

Data Breach Affects 650k Customers of 230 Retailers
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=311724

GE Money Backup Tape With 650,000 Records Missing At Iron Mountain
http://www.informationweek.com/story/showArticle.jhtml?articleID=205901244

On January 17, 2008, the U.S. Federal Energy Regulatory Commission approved eight mandatory reliability standards for cyber security designed to help guard the United States national power grid from cyber security threats and attacks.

The new standards were developed by the North American Electric Reliability Corporation (NERC).  However NERC is charged to manage future development of these standards and also follow the guidance of the National Institute of Standards and Technology (NIST) on issues of cyber security.  This move is a particularly smart move on the part of FERC to ensure that future cyber security standards developed and maintained by NERC are relevant and current to changes in technology and the field of cyber security research.

According to a FERC press release (See: http://www.ferc.gov/news/news-releases/2008/2008-1/01-17-08-E-2.asp) the eight new cyber security standards address the following topics:

• Critical Cyber Asset Identification;
• Security Management Controls;
• Personnel and Training;
• Electronic Security Perimeters;
• Physical Security of Critical Cyber Assets;
• Systems Security Management;
• Incident Reporting and Response Planning; and
• Recovery Plans for Critical Cyber Assets.

Recently we have seen news reports about other countries like China enhance their cyber security and warfare capabilities within their own government and military forces.   However, I'm glad FERC is creating these standards for critical infrastructure protection (CIP) of our nation's power grid to counter the potential threats from other governments and those who would choose to do our country harm.

I hope the power grid operators and electric utility companies quickly implement these standards and help contribute more investment dollars towards the protection of our critical infrastructure assets from cyber and physical security threats.

Recently Chinese state sponsored hackers managed to penetrate the computer networks of Rolls Royce and Royal Dutch Shell in the UK (See article:  Secrets of Shell and Rolls-Royce come under attack from China’s spies).   

The seriousness of the Rolls Royce and Royal Dutch Shell incidents and the increased level of state sponsored hacker attacks have prompted MI5, the United Kingdom's counter-intelligence and security service, to warn other companies to be vigilant against this type of industrial espionage.

State sponsored cyber espionage is a serious threat to the national security of all nations.

TJX (NYSE: TJX) has paid $40.9 million in restitution to Visa Inc. to settle all claims related to the data breach that compromised nearly 46 million credit cards.  Visa Inc. has also recently settled fines against Fifth Third Bancorp (NASDAQ: FITB) - (See: http://blog.csoboard.com/cso/2007/11/fifth-third-ban.html).

Retail merchants and financial institutions are waking up to the reality that they must work together to better protect the integrity, security, and privacy of their customers' financial information.   Let's all hope as consumers that industry can achieve those lofty goals.

For more information see:

• Boston Globe - TJX agrees to reimburse banks
• New York Times - Retailer to Pay $40 Million

Fifth Third Bancorp (NASDAQ: FITB) has been fined $880,000 by Visa Inc. for FITB's role in the data breach at TJX Companies Inc. (NYSE: TJX).  (Click here for article by Boston Globe)  In recent years, banks, merchants, and credit card issuers have been at odds over who should be responsible for protecting credit card data.   

Thanks in part to the collaboration by credit card issuers like Visa and MasterCard, today the PCI (Payment Card Industry) Security Standards Council, an independent organization, is leading efforts and developing industry standards for data security that banks, merchants, and credit card issuers can all agree to adopt as baseline for the protection of consumers' credit card data.  Despite all of these efforts data breaches have occurred because of the reluctance by organizations to implement appropriate data security measures.

It is my hope that the motivation for banks and merchants to act to protect consumers' personal and financial information is not only driven by self-regulatory industry actions.

Australian IT is reporting (to see article click here) that on-line CRM services company Salesforce.com (NYSE: CRM) suffered an IT security breach.   Salesforce has admitted the cause of the incident as being attributed to an employee being duped by a "phishing scam".

The company has admitted customer account information including passwords may have been compromised by non-authorized parties.  According to the article by Australian IT there are more than 1,000 subscribers to Salesforce.com may have been affected in Australia alone.