Gary Palgon
Vice President, Product Management
nuBridges
That just may be the tip of the iceberg as the details of this latest cybercrime unravel.
On Tuesday, Albert Gonzalez and two others were indicted on charges of stealing more than 130 million payment card numbers, the largest hacking and identity theft case ever prosecuted in the U.S. Ironically, he is accused of breaching several retailer’s networks, which were already compliant with the Payment Card Industry’s Data Security Standard (PCI DSS) – a set of comprehensive requirements put into place in 2006 by American Express, MasterCard, Visa and other credit card companies to force businesses to better protect credit and debit card information from thefts like those committed by Gonzalez and other hackers over the years. Then, yesterday, Radisson reported that some of the computers at several hotels were breached between November 2008 and May 2009, possibly exposing guest information and credit card numbers.
This is BIG, but it’s only the latest in a long series of avoidable data breaches. Cybercriminals are opportunists. They steal information from wherever it’s easiest to reach. In the last couple of years they’ve methodically climbed the technology stack. In this case, Gonzalez and his band of global thieves started at the top breaching the web application interface and then went deep down to gather the internal credit card data in transit, the latter a problem that has yet to be enforced by the PCI DSS as a requirement.
Regardless of all of the ways that criminals get into systems to access data, the only sure method of protecting it is to actually ensure that the data is always encrypted, whether at rest or in transit. And there are methods to do this including encryption, key management and tokenization which you’ve probably read in articles that I’ve published recently or presented. http://www.nubridges.com/presscenter/articles-2009.php
Until next time,
Gary
