Posted by Slavik under compliance, credit cards, PCI, TJX
Comments Off on PCI Grows Teeth
The rumors about my death have been greatly exaggerated, to paraphrase Mark Twain. I guess I’m a burst-blogger, at least for as long I’m also the CTO of a growing start-up.
The credit card companies started to make good on their threats and levy hefty fines like this one issued against TJX and its banks. This makes the pain of non-compliance very real, and I think we are going to see more of it as the credit card companies demonstrate that they mean business. This is one of the benefits of having an industry-regulated standard as opposed to laws and regulations – the incentives to enforce are business incentives, so they work…
A-propos, another recent development around PCI, which I think has not been receiving the attention that it should, is the passing of the first state law to augment PCI DSS the standard. Minnesota, the state that passed this law, is home to some of America’s largest retailers, such as Target and Best Buy, so on its own this law may have far reaching impact. Moreover, similar to California Senate Bill 1386 that deals with privacy breach notification and spawned copycat laws in some 38 other states, I expect the Minnesota law to be the harbinger of additional state laws (Texas, Massachusetts and Illinois are contemplating it), although in California it was shot down by the governator.
It may seem redundant to enact laws where an industry standard is already working well, but I understand the lawmakers’ perspective. You can’t just leave everything to market forces. Yes, right now it seems PCI is on the right track to provide protection for consumers. But this may not necessarily be the case in the future. Call it short term overkill, long-term insurance.
In the meantime, the retailers are trying to play “pass the hot potato” with the credit card issuers. While I agree that less data storage is less potential for data theft, there are accounting issues and simple business streamlining issues that need to be addressed. Guess what? The retailers’ gambit is not going to work. PCI DSS is not reversible, it’s only going forward. Credit card companies provide a valuable service to both consumers and retailers, and in this game, they have the power. Don’t like the requirements VISA is imposing? You have a choice – either comply, or don’t accept VISA anymore (and good luck with that…!), or outsource CC processing entirely.
The reality is that PCI is going to become part of the cost of doing business. It’s several years too late, but better late than never.
Posted by Slavik under breach, credit cards, encryption, insider threat, monitoring, TJX
Comments Off on So what really happened at TJX?
What better way to start a blog about database security than to discuss what is possibly the biggest data breach ever?
It now seems that several banks are suing TJX over claimed losses of tens of millions of dollars – so negligence in data protection carries a cash penalty, not just nebulous damage to reputation. Gross negligence, in fact – this is not some one-off lapse in judgment such as a laptop with sensitive information forgotten on a bus, or a CD lost in the post.
The details recently published about the ongoing investigation provide insight into what possibly happened:
- The breach lasted 17 months: For 17 months someone (or more than one person) was systematically stealing data. I can only infer from this that security measures and procedures at TJX were grossly inadequate. It also means the breach was not accidental – it may have been opportunistic at first, but certainly malicious after that. More likely it was malicious from the start.
- Insider(s) were involved: It seems that some encrypted credit card data was decrypted using keys, which only an insider with privileged access would have. Whether such an insider was knowingly complicit or duped into divulging such information is unknown, but it shows us all what the sophisticated criminals already know – why bother sweating and hacking your way through firewalls and IDS when it’s so much simpler to use an insider?
- Utter lack of visibility: Most astonishing of all, “more than 50 experts TJX put on the case have reached no conclusions. Besides not knowing how many thieves were involved, TJX isn’t sure whether there was one continuing intrusion or multiple separate break-ins, according to a March 28 regulatory filing.”
In other words, the thieves either did a great job of covering their tracks (and they certainly had ample time to do that!), or worse, they didn’t have to do it because their actions were invisible to begin with…
It is clear that even a rudimentary audit could have prevented the breach from going undiscovered for so long. It is also evident that encryption alone wasn’t enough to protect the data, and that perimeter defenses such as firewalls are useless against inside jobs like this one.
But ultimately, the entire thing could have been prevented with real-time monitoring and intrusion prevention at the database level.