Recent High Profile Data Breaches Lessons Learned from TJX to Heartland

1
Recent High Profile Data Breaches Lessons
Learned from TJX to Heartland
February 2009
Presented By Joe Filer, CISSP, PMP Client
Security Advocate
2
Who is this Guy?

• BA in Math, Masters in Operations Research
• 15 years as an information security professional
• Consultant
• Increasing levels of responsibility including
  Director Corporate Security and CISO
• Extensive compliance focus
• Certified Info Systems Security Professional
  (CISSP)
• Project Management Professional (PMP)
• Currently - Client Security Advocate at Harland
  Clarke
• Resident of San Antonio, TX (more than 24 years)

3
Ground Rules

• Harland Clarke Corp. is owned by a publicly
  traded company however, none of my statements
  should be considered forward-looking.
• Some of the information provided will be
  identified as my personal or professional
  opinion and should not be considered as
  reflective of my employers position.
• Aspects of this presentation that clearly address
  legal issues reflect summaries and should not be
  considered legal advice.

4
Overview

• A Look Back
• Review of TJX
• Why Hannaford Was Different and Why It Was Not!
• Heartland So Far
• Lessons Learned
• Bring Out the Crystal Ball
• What Does It All Mean? - Conclusions

5
A Look Back

• In 2005, 36 million credit card numbers lost by
  CardSystems Solutions due to systems hack
• Company out of business
• Bought by Solidus Networks, Inc., doing business
  as Pay By Touch
• In 2006, Hack of stored PIN data impacted several
  financial institutions
• Smaller banks and credit unions temporarily shut
  down PIN-based transactions and reissued debit
  cards
• Massachusetts Bankers Association supporting
  legislation/card association rule changes to
  identify the company breached and place the
  financial liability with that company
• In 2006, 26.5 million vets and active duty
  personnel potentially impacted by loss of VA
  laptop

6
Pertinent TJX Facts

• 826 T.J. Maxx, 751 Marshalls, and 271 HomeGoods
  locations
• Lost credit and debit card transactions dating
  back to 2003
• Believed intrusion took place from May 2006 to
  January 2007
• Issues began in July 2005 and continued
  periodically thru 2005
• Issue TJX was storing credit card data in
  violation of PCI
• Track 2 of VISA card's magnetic stripe - account
  number, expiration date, CCV
• Bottom Line
• 46 million (or more) credit/debit card numbers
  stolen over 18-months
• Largest customer data breach on record (at that
  point)
• Used to buy 8 Million in merchandise from
  Florida Wal-Marts
• Fake credit cards and gift cards used in stores
  in 50 Florida counties

7
More TJX Info

• TJX Breach Costs - 256 Million (Probably
  conservative!) (Aug 07)
• http//www.boston.com/business/globe/articles/2007
  /08/15/cost_of_data_breach_at_tjx_soars_to_256m/
• 46 Million to 94 Million Affected (Oct 07)
• http//www.consumeraffairs.com/news04/2007/10/tjx_
  data.html
• TJX Faces FTC Audits for 20 Years (Mar 08)
• Biennial 3rd party assessments
• http//searchsecurity.techtarget.com/news/article/
  0,289142,sid14_gci1307421,00.html
• 11 TJX Hackers Caught (Aug 08)
• http//www.consumeraffairs.com/news04/2008/08/hack
  er_ring.html

8
Lessons Learned - TJX

• Encryption inconsistent across enterprise
  computer systems
• Credit card data may be protected in some
  instances, but not others
• Unnecessarily storing credit card data and other
  sensitive data
• Failed to isolate data from traveling across less
  secure parts of the network
• Very unstructured response to incident
• Lack of comprehensive, standard-driven security
  program
• Response perceived by customers to be untimely,
  uncaring

9
More Lessons Learned - TJX

• Inconsistent or lack of logging minimized ability
  to spot access of sensitive data
• Especially important for awareness of lost
  encryption keys
• Lack of proactive regular scans for
  OS/application vulnerabilities and monitoring of
  anomalies
• Very dynamic environments require periodic
  validation/evaluation
• Check Box Mentality evident here
• Many think they are set after complying with
  SOX/HIPAA then discover controls not adequate to
  meet PCI
• Minimal awareness of quality of controls
• Not enough structured risk assessment involved

10
Hannaford Bros. Info

• Large grocery chain from Maine
• Notified by FirstData (credit card processor)
• Suspicious activity Dec 07 Mar 08
• 4.2 Million card numbers 1800 immediate fraud
  cases identified
• Data stolen in transit (POS to payment
  authorization)
• Affected 165 stores in NE, 106 stores in Florida
  plus a few independents
• Apparently malware installed at all affected
  stores
• PCI Certified Merchant

11
But We Were PCI certified Analysis of
Hannaford Bros. Security Breach

• First instance of a PCI certified merchant
  getting hacked anyway (Mar 08)
• Whos fault??
• http//blog.washingtonpost.com/securityfix/2008/03
  /hannaford_breach_may_presage_0.html?navrss_blog
• Compliance mindset can be part of the problem
  (Apr 08)
• Compliance breeds complacency!
• http//searchsecurity.techtarget.com/news/column/0
  ,294698,sid14_gci1308040,00.html
• Insider Job? (Nov 08)
• Historically, 80 of incidents caused by people
  inside organization
• http//searchsecurity.techtarget.com/news/article/
  0,289142,sid14_gci1307486,00.html

12
Heartland Payment SystemsThe Mother of All
Breaches?

• Credit card processor from New Jersey PCI
  Certified
• First alerted by VISA in October 2008
• Potential impact on 100 Million accounts -
  175,000 merchants
• Supposedly involves malware
• HPS turned to US Secret Service for help

13
What About Heartland?

• Another PCI certified service provider Begs a
  Question!
• Are PCI efforts (and costs) justified?
• Press Release Timing?
• Same day as inauguration?
• Coincidence?
• Focus on what was NOT compromised
• NO NPI!
• Did we mention that we did NOT lose any NPI?
• Ability to deploy protective measures after the
  horse is out of the barn
• Again, why was this not done before the breach?
• First Heartland lawsuit? (Jan 29, 2009)
• http//searchsecurity.techtarget.com/news/article/
  0,289142,sid14_gci1346268,00.html?asrcSS_CLA_3035
  82psrcCLT_14

14
A Look at Costs Associated With Data Breaches

• Average cost associated with losses inconsistent
• Probably due to inconsistent approaches!
• FBI/CSI Survey 2005 - 167,000
• DOJ August 2006 1.5 Million
• TJX/Hannaford cost 75 Maine FIs 2 Million (Jan
  09)
• http//www.bankinfosecurity.com/articles.php?art_i
  d1170
• Ponemon Cost Info (2007)
• 197 per record
• http//searchsecurity.techtarget.com/news/article/
  0,289142,sid14_gci1284140,00.html

15
Guidance for Affected Companies

• Data Loss not the end of the worldCompanies
  MUST
• Develop a confident awareness of what occurred
• Aggressively and confidently communicate what
  happened
• Understand what the company will to do for its
  customers
• Discover what the company can do to lower the
  likelihood of it happening again
• If companies want to get into TROUBLECompanies
  can
• Stonewall customers
• Leave them hanging out to dry
• Point the finger at someone else
• Obscure the issues
• Suggest that fixes were easy

16
Things We All Need to Do Now

• Successful security programs
• Reflect layered approaches with the right mix of
  technology, people, and process endorsed by
  senior management - Technology alone is NOT
  enough!
• Know what level of access people have to the
  network inside/outside the company
• Ensure that sensitive data is encrypted at rest
  and in transit
• Monitor user activity Trust but Verify!
• Have a firm grasp on what kind of data is
  traveling where through the network
• Measure control effectiveness and continuously
  improve when possible
• Understand and manage risk
• Prepare a response plan for WHEN it breaks
• Do NOT attempt to build it on the fly in a
  crisis situation
• Know the right people to be involved and the
  right things to say and do
• Test the plan and correct problem areas
• Maintain the plan and keep it current

17
What is on the Horizon

• The weaknesses associated with Payment Card
  Industry approach will be addressed
• Expect more comprehensive requirements
• More stringent assessor expectations
• We will all be subjected to additional levels of
  oversight
• With special focus on deflection of risk
• Due diligence efforts to protect against
  litigation
• Consumers are sick of holding the bag
• Companies will be held accountable for security
  decision-making
• Class action suits
• Federal legislation is just a matter of time
• Change of administration
• Legislation has been bubbling under the surface
• Response to consumer lack of confidence

18
Relevant Conclusions

• Check Box Mentality is DANGEROUS
• Im certified, Im done!
• Effective security programs means
  standards-based
• NOT stove-pipes
• Customer/consumer visibility means increased
  cost/incident
• Structured incident response is a necessity today
• Reactive security is NOT enough anymore
• Proactive measures include effectiveness
  assessments
• Make improvements ongoing versus AFTER the
  incident
• Companies MUST inform customers/consumers of loss
  ASAP
• Currently seen as an obligation
• Anything less is unacceptable
• A Companys biggest weakness is STILL its own
  people

19
Finally.

• Top Security Breaches from 2008
• http//www.bankinfosecurity.com/articles.php?art_i
  d1120opg1

20
Harland Clarke InfoSec Snapshot2
1
Note 1 Two Harland Clarke business functions
(Marketing Services and Checks in the Mail) are
currently certified. Enterprise project underway.
Note 2 Data developed from review of publicly
available information and interviews.
21
Questions
22
For more information