in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption: Stratfor Stored Credit Cards In Plain Text

The Office of Inadequate Security (databreaches.net) has been following the Anonymous hack of Stratfor.com very closely.  Of course, this is the hack where data encryption software was not used to protect credit card numbers, which were in return used to make "charitable" donations.

Dissent, the administrator behind databreaches.net, has raised a number of pertinent questions which ought to lead to interesting results.

Stratfor.com Hack

The original entry and updates to databreaches.net can be found here.  It includes what was hacked, how many were affected, and the subsequent "Antisec is not Anonymous" controversy.

Here, Dissent looks into Startfor's privacy policy, which was based off of a cached copy.

In this missive from Stratfor to clients (and provided to databreaches.net), the hacked company promises to boost security and provide credit monitoring services.

And, last but not least, Dissent takes a look at what the breach might cost Stratfor, since the company is based out of Austin, Texas, and the Lone Star state has pretty strict data protection laws in its books, which were later amended to include all US citizens, if not the entire world.

Some of the posts appear to be long, but only because of quoted passages and legislation.

Adding in My Two Cents

There are a couple of things that I wanted to expand on briefly.

First, it's obvious that Stratfor was not PCI-DSS compliant.  For example, if you go over to pcicomplianceguide.org, you'll see that

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

There's no two ways about it: if you're processing a credit card for payment, you have to follow the rules.  It doesn't matter if you're a Fortune 500 company or a panhandler.

Requirement 3 of PCI-DSS governs the storage of sensitive data, including credit card numbers and card verification codes.  The first rule is to never store the information, unless you have to (and then there is data like CVVs that are never stored, even in encrypted form).  The second rule is to always encrypt the information if you do store it.  The point is, you never store any part of a credit card in unencrypted form.

Fines of up to $500,000 can be assessed on organizations that don't comply.

The second thing I'd like to expand on is whether the FTC will get involved.  Dissent has asked "would the FTC consider Stratfor's data collection and storage deceptive"?  What Dissent is referring to is the fact that Stratfor promised to protect data but its actions didn't live up to that promise.  It's not unprecedented for the FTC to bring charges under such "deceptive practices."

In 2010, Twitter settled such charges:

The FTC's complaint against Twitter charges that serious lapses in the company's data security allowed hackers to obtain unauthorized administrative control of Twitter, including access to non-public user information, tweets that consumers had designated private, and the ability to send out phony tweets from any account including those belonging to then-President-elect Barack Obama and Fox News, among others.

"When a company promises consumers that their personal information is secure, it must live up to that promise," said David Vladeck, Director of the FTC's Bureau of Consumer Protection.

CVS / Rite Aid also had to face up to their words and actions not matching up:

Rite Aid made claims such as, “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.” The FTC alleged that the claim was deceptive and that Rite Aid’s security practices were unfair. [My emphasis]

Can Stratfor expect a visit from the FTC?  I'm not sure.  But, the situation has attracted so much attention that the FTC cannot afford not to get involved.


Related Articles and Sites:
http://www.databreaches.net/?p=22426

 
<Previous Next>

Medical Data Security: Will 2012 Finally See the Final Rule To HITECH?

Reminder: California Breach Notification Law Amended, Beginning 2012, AG Must Be Notified

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.