Title: Recent High Profile Data Breaches Lessons Learned from TJX to Heartland
1Recent High Profile Data Breaches Lessons
Learned from TJX to Heartland
February 2009
Presented By Joe Filer, CISSP, PMP Client
Security Advocate
2Who is this Guy?
- BA in Math, Masters in Operations Research
- 15 years as an information security professional
- Consultant
- Increasing levels of responsibility including
Director Corporate Security and CISO - Extensive compliance focus
- Certified Info Systems Security Professional
(CISSP) - Project Management Professional (PMP)
- Currently - Client Security Advocate at Harland
Clarke - Resident of San Antonio, TX (more than 24 years)
3Ground Rules
- Harland Clarke Corp. is owned by a publicly
traded company however, none of my statements
should be considered forward-looking. - Some of the information provided will be
identified as my personal or professional
opinion and should not be considered as
reflective of my employers position. - Aspects of this presentation that clearly address
legal issues reflect summaries and should not be
considered legal advice.
4Overview
- A Look Back
- Review of TJX
- Why Hannaford Was Different and Why It Was Not!
- Heartland So Far
- Lessons Learned
- Bring Out the Crystal Ball
- What Does It All Mean? - Conclusions
5A Look Back
- In 2005, 36 million credit card numbers lost by
CardSystems Solutions due to systems hack - Company out of business
- Bought by Solidus Networks, Inc., doing business
as Pay By Touch -
- In 2006, Hack of stored PIN data impacted several
financial institutions - Smaller banks and credit unions temporarily shut
down PIN-based transactions and reissued debit
cards - Massachusetts Bankers Association supporting
legislation/card association rule changes to
identify the company breached and place the
financial liability with that company - In 2006, 26.5 million vets and active duty
personnel potentially impacted by loss of VA
laptop
6Pertinent TJX Facts
- 826 T.J. Maxx, 751 Marshalls, and 271 HomeGoods
locations - Lost credit and debit card transactions dating
back to 2003 - Believed intrusion took place from May 2006 to
January 2007 - Issues began in July 2005 and continued
periodically thru 2005 - Issue TJX was storing credit card data in
violation of PCI - Track 2 of VISA card's magnetic stripe - account
number, expiration date, CCV - Bottom Line
- 46 million (or more) credit/debit card numbers
stolen over 18-months - Largest customer data breach on record (at that
point) - Used to buy 8 Million in merchandise from
Florida Wal-Marts - Fake credit cards and gift cards used in stores
in 50 Florida counties
7More TJX Info
- TJX Breach Costs - 256 Million (Probably
conservative!) (Aug 07) - http//www.boston.com/business/globe/articles/2007
/08/15/cost_of_data_breach_at_tjx_soars_to_256m/ - 46 Million to 94 Million Affected (Oct 07)
- http//www.consumeraffairs.com/news04/2007/10/tjx_
data.html - TJX Faces FTC Audits for 20 Years (Mar 08)
- Biennial 3rd party assessments
- http//searchsecurity.techtarget.com/news/article/
0,289142,sid14_gci1307421,00.html - 11 TJX Hackers Caught (Aug 08)
- http//www.consumeraffairs.com/news04/2008/08/hack
er_ring.html
8Lessons Learned - TJX
- Encryption inconsistent across enterprise
computer systems - Credit card data may be protected in some
instances, but not others -
- Unnecessarily storing credit card data and other
sensitive data - Failed to isolate data from traveling across less
secure parts of the network -
- Very unstructured response to incident
- Lack of comprehensive, standard-driven security
program - Response perceived by customers to be untimely,
uncaring
9More Lessons Learned - TJX
- Inconsistent or lack of logging minimized ability
to spot access of sensitive data - Especially important for awareness of lost
encryption keys - Lack of proactive regular scans for
OS/application vulnerabilities and monitoring of
anomalies - Very dynamic environments require periodic
validation/evaluation - Check Box Mentality evident here
- Many think they are set after complying with
SOX/HIPAA then discover controls not adequate to
meet PCI - Minimal awareness of quality of controls
- Not enough structured risk assessment involved
10Hannaford Bros. Info
- Large grocery chain from Maine
- Notified by FirstData (credit card processor)
- Suspicious activity Dec 07 Mar 08
- 4.2 Million card numbers 1800 immediate fraud
cases identified - Data stolen in transit (POS to payment
authorization) - Affected 165 stores in NE, 106 stores in Florida
plus a few independents - Apparently malware installed at all affected
stores - PCI Certified Merchant
11But We Were PCI certified Analysis of
Hannaford Bros. Security Breach
- First instance of a PCI certified merchant
getting hacked anyway (Mar 08) - Whos fault??
- http//blog.washingtonpost.com/securityfix/2008/03
/hannaford_breach_may_presage_0.html?navrss_blog - Compliance mindset can be part of the problem
(Apr 08) - Compliance breeds complacency!
- http//searchsecurity.techtarget.com/news/column/0
,294698,sid14_gci1308040,00.html - Insider Job? (Nov 08)
- Historically, 80 of incidents caused by people
inside organization - http//searchsecurity.techtarget.com/news/article/
0,289142,sid14_gci1307486,00.html
12Heartland Payment SystemsThe Mother of All
Breaches?
- Credit card processor from New Jersey PCI
Certified - First alerted by VISA in October 2008
- Potential impact on 100 Million accounts -
175,000 merchants - Supposedly involves malware
- HPS turned to US Secret Service for help
13What About Heartland?
- Another PCI certified service provider Begs a
Question! - Are PCI efforts (and costs) justified?
- Press Release Timing?
- Same day as inauguration?
- Coincidence?
- Focus on what was NOT compromised
- NO NPI!
- Did we mention that we did NOT lose any NPI?
- Ability to deploy protective measures after the
horse is out of the barn - Again, why was this not done before the breach?
- First Heartland lawsuit? (Jan 29, 2009)
- http//searchsecurity.techtarget.com/news/article/
0,289142,sid14_gci1346268,00.html?asrcSS_CLA_3035
82psrcCLT_14
14A Look at Costs Associated With Data Breaches
- Average cost associated with losses inconsistent
- Probably due to inconsistent approaches!
- FBI/CSI Survey 2005 - 167,000
- DOJ August 2006 1.5 Million
- TJX/Hannaford cost 75 Maine FIs 2 Million (Jan
09) - http//www.bankinfosecurity.com/articles.php?art_i
d1170 - Ponemon Cost Info (2007)
- 197 per record
- http//searchsecurity.techtarget.com/news/article/
0,289142,sid14_gci1284140,00.html
15Guidance for Affected Companies
- Data Loss not the end of the worldCompanies
MUST - Develop a confident awareness of what occurred
- Aggressively and confidently communicate what
happened - Understand what the company will to do for its
customers - Discover what the company can do to lower the
likelihood of it happening again -
- If companies want to get into TROUBLECompanies
can - Stonewall customers
- Leave them hanging out to dry
- Point the finger at someone else
- Obscure the issues
- Suggest that fixes were easy
16Things We All Need to Do Now
- Successful security programs
- Reflect layered approaches with the right mix of
technology, people, and process endorsed by
senior management - Technology alone is NOT
enough! - Know what level of access people have to the
network inside/outside the company - Ensure that sensitive data is encrypted at rest
and in transit - Monitor user activity Trust but Verify!
- Have a firm grasp on what kind of data is
traveling where through the network - Measure control effectiveness and continuously
improve when possible - Understand and manage risk
- Prepare a response plan for WHEN it breaks
- Do NOT attempt to build it on the fly in a
crisis situation - Know the right people to be involved and the
right things to say and do - Test the plan and correct problem areas
- Maintain the plan and keep it current
17What is on the Horizon
- The weaknesses associated with Payment Card
Industry approach will be addressed - Expect more comprehensive requirements
- More stringent assessor expectations
- We will all be subjected to additional levels of
oversight - With special focus on deflection of risk
- Due diligence efforts to protect against
litigation -
- Consumers are sick of holding the bag
- Companies will be held accountable for security
decision-making - Class action suits
- Federal legislation is just a matter of time
- Change of administration
- Legislation has been bubbling under the surface
- Response to consumer lack of confidence
18Relevant Conclusions
- Check Box Mentality is DANGEROUS
- Im certified, Im done!
- Effective security programs means
standards-based - NOT stove-pipes
- Customer/consumer visibility means increased
cost/incident - Structured incident response is a necessity today
- Reactive security is NOT enough anymore
- Proactive measures include effectiveness
assessments - Make improvements ongoing versus AFTER the
incident - Companies MUST inform customers/consumers of loss
ASAP - Currently seen as an obligation
- Anything less is unacceptable
- A Companys biggest weakness is STILL its own
people
19Finally.
- Top Security Breaches from 2008
- http//www.bankinfosecurity.com/articles.php?art_i
d1120opg1
20Harland Clarke InfoSec Snapshot2
1
Note 1 Two Harland Clarke business functions
(Marketing Services and Checks in the Mail) are
currently certified. Enterprise project underway.
Note 2 Data developed from review of publicly
available information and interviews.
21Questions
22For more information