jump to navigation

“Are You Eating a Rotten Apple?” – Personal Data May have Been Exposed in Global Payments Breach July 9, 2012

Posted by Chris Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy, PCI DSS, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

Let me preface this post by saying this is not intended to take shots at either Global Payments or the PCI DSS.  Rather, this post is intended to generate discussion and discourse on the topic of compliance and risk management.

According to reports, it seems that the Global Payments data breach may have exposed more than payment card data.  n a June 12 update posted to its breach microsite, Global says hackers may have gained access to servers containing personal information collected from a subset of merchant customers.

“The company will notify potentially affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost,” Global says. “The notifications are unrelated to cardholder data and pertain to individuals associated with a subset of the company’s U.S. merchant applicants.”

Based upon this statement it seems fair to assume that Personally Identifiable Information (PII) such as Social Security number and Bank Account information may have been exposed, as well.

This situation exposes the danger of using a narrowly focused, static standard as a baseline of security management rather than adopting a risk based approach to data security.   I have personally conducted over 100 PCI DSS audits and have seen first hand the resources consumed by the standard.  Companies often appear so laser focused upon protecting payment card data that other systems and data may take a back seat in the pursuit of “PCI DSS compliance.”  As there are significant penalties associated with non-compliance that it is difficult to blame the merchant or service provider. The penalties are designed to compel compliance with the standard.  As such, companies are going to give precedent to the PCI DSS over any other standard that does not have equivalent penalties associated with non compliance.

As a reminder, the PCI DSS is ONLY focused protection of Cardholder Data.  Surely some are going to say that the PCI should be applied across all systems etc.etc.  This is great in theory but does not happen in practice.  Companies take great pains to minimize their cardholder data environment specifically to lessen the compliance burden.

I am sure we will continue to see breaches of payment card companies having PII exposed as companies focus on PCI to the exclusion of risk based security management.

“Pinky and the Brain” – Chris & Heather Mark’s Articles in Transaction World Magazine June 21, 2012

Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

I heard yesterday from the EIC of Transaction World Magazine that they will be publishing one of my articles in their August 2012 issue.  Stay tuned!  I have written for TW numerous times over the past 7 years or so and Heather has written for them consistently since about 2005.  You can read her current article here and see archives of Heather’s articles at this link.  If you are not in the payments industry and want to know about the exciting world of credit card issues, check out TransactionWorld.  It has great articles covering everything from compliance, to security, interchange, and more.  Here are two links to a couple of my previous TW articles..1) Why Regulation Cannot Prevent CyberCrime and 2) Lessons from the Heartland Breach…clearly in this relationship Heather is the Brain and I am Pinky 😉

Of Payments, Privacy and Social Networks June 13, 2012

Posted by Heather Mark in Industry News, InfoSec & Privacy.
Tags: , , , , , ,
add a comment

By now, many of you have probably heard about the smartphone app creatively and aptly named “Girls Around Me.” For those that have not heard, it is essentially an application that aggregates the “check in” location data of women using Facebook, foursquare, and other social, location based services.  It then displays for the user the locations and names of “girls around” him (or her, I don’t think the app discriminates).  The app promises to “turn your town into a dating paradise.”  For privacy professionals, the app sparks an interesting debate.  Is privacy infringed if the person in question volunteers the information.  On one side of the argument are those that would say “no – if the user has volunteered information then privacy is not compromised by the application.”  The converse of that argument, however, is one that centers on a definition of privacy that hinges on the appropriate use of information.  If the user did not volunteer the information in an effort to join this “dating paradise” then privacy is certainly infringed.  Certainly, one can see that the application in the wrong hands has the potential for misuse.  But, what if we use the information for good, rather than evil? (more…)

“Flame On!”- New CyberWeapon Discovered in Middle East May 28, 2012

Posted by Chris Mark in cyberespionage, cybersecurity, InfoSec & Privacy, News, terrorism.
Tags: , , , , , , , , , , ,
1 comment so far

Complementing the post CyberEspionage, researchers have discovered a new cyberweapon.  First there was Stuxnet, then there was Duqu..now there is Flame.  Called by a researcher: “…the most complex piece of malicious software discovered to date…” the recently discovered virus is designed to capture data but can also change computer setting and turn on integrated microphones to record what is being said in the room.  Kapersky labs discovered the virus, dubbed “Flame”,  which has been lurking undetected inside of thousands of computers in the Middle East for as long as 5 years.  According to Kapersky, the countries with the most infections include Iran with the most infections followed by Israel/Palestine area, Syria, and Sudan.  According to Kapersky senior researcher Roel Schouwenberg: “The virus contains about 20 times as much code as Stuxnet, which attacked an Iranian uranium enrichment facility, causing centrifuges to fail. It has about 100 times as much code as a typical virus designed to steal financial information”(more…)

“Kiss My QR Code”; Symantec Releases 2011 Internet Security Threat Report May 20, 2012

Posted by Chris Mark in cybersecurity, Data Breach, InfoSec & Privacy.
Tags: , , , , , , , ,
add a comment

This month Symantec released the results of their 2011 Internet Security Threat Report. It is a very compelling read and highlights just how difficult it is becoming to protect systems, and data.  Some of the more interesting findings:  2011 saw variants of Malware increase from 283 million to 407 million (you read that correct…million).  Additionally, data thieves have begun using QR codes to infect Android phones with malicious software.  One out of every 299 emails is a phishing attempt.    This is a document that I recommend you download and read.

 

%d bloggers like this: