Glitch in the system: The Loyaltybuild data breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.irishexaminer.com/analysis/glitch-in-the-system-the-loyaltybuild-data-breach-249392.html

SUPERVALU is having a difficult week, with news that the data breach of
customer information was worse than previously feared — affecting 62,500
customers. A further 8,000 customers at insurance company Axa may also have
been affected.
Odd though it may seem, in both cases I doubt if we can attach too much of
the blame to these firms.
Reports in the media indicate that the breaches occurred at a company
called Loyaltybuild which was providing customer reward services to
Musgraves (SuperValu’s parent) as well as to Axa Insurance. If this is the
case, I suspect that the two companies are every bit as frustrated with
their service provider as the customers whose credit cards may have been
compromised, not least because their brands have been damaged by something
over which they had little if any control.

I have little doubt that the Data Protection Commissioner and the credit
card companies will investigate in detail what went wrong at Loyaltybuild.
Billy Hawkes, the commissioner, warned up to 500,000 people across Europe
may have been impacted by the breach. Historical credit card information
should not be sitting unencrypted on any network: best practice is to store
credit card information in encrypted form on a heavily protected subnet,
and to dispose of such information as soon as it is no longer required.

It is quite surprising that a sophisticated provider of these services
could suffer such an event. An educated guess is this was some kind of
unusual lapse — for example someone within the company dumped data out of
the protected database, for reasons unknown, and left it exposed by
accident. The fact that the stolen data is reported to have been historical
(from Jan 2011 to Feb 2012) would suggest it was probably not sitting on
the main credit card system when stolen.

To date, the manner in which the breach occurred has not been made public.
Currently the most common method of compromising a network is by a hacker
sending a person in the company an email infected with a malicious program
— a Trojan. Hacks through the web-server are still common enough also, as
are hacks through the wireless network. Another common but rarely mentioned
problem is the so-called “insider threat”. A large proportion of data
thefts are carried out by persons with legitimate access to the
information. We also do not yet know how long the data has been compromised
for.

Because we do not yet know how long the data was exposed, we also don’t
know how long in the past affected credit card users need to check their
records. As a precaution, people should check their credit card statements
going back two years for any unauthorised or unknown payments.

Fraudulent payments may not be very large. Cyber-criminals do not always
“max-out” cards straight away. The hacker may not even use them!, but
auction them off. The buyer might then “milk” the card for repeated small
payments over a long period of time. This approach would be more likely to
avoid the kind of scrutiny the credit card companies now give to large
transactions on cards.

Those who have found any doubtful payments on their statement should call
their credit card company immediately. Losses due to frauds that occur
online usually fall on the card company, unless the card owner has been
inexcusably careless with the card information (which in this case would
not be true).

The Loyaltybuild incident is reflective of a growing problem for business
in general. Although by historical standards it was not very large —
Heartland Payment Services lost 110m credit card records in 2007, and there
is increasing evidence that Adobe may have lost even more customer records
in a recent hack — the Loyaltybuild breach is a very clear example kinds of
hazards facing customers and companies in the modern world of e-commerce
and outsourced services.

To reduce costs a lot of companies outsource “non-core” services to other
specialist providers. Companies require much greater flexibility in the
modern business environment and such outsourcing arrangements are
increasingly necessary. Unfortunately, it is rare that the computer systems
used by these service providers can be as tightly controlled and monitored
as a company’s own systems.

I attended a presentation by General Michael Hayden, the former director of
the US National Security Agency a few months ago. His view is that it is
impossible to fully secure any computer system that is connected to a
network. Yet, increasingly, we all must use online services regardless of
the risk. Even in the last fortnight we learned that the reason Irish
citizens must pay their property tax by credit card two months early is
because the Revenue Commissioners are not comfortable holding the credit
card information until the New Year.

Where even the Government is no longer certain in its ability to protect
card information online, the only advice I can give is to check your
monthly card statement. You never know what might be in it.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.