Odd though it may seem, in both cases I doubt if we can attach too much of the blame to these firms.
Reports in the media indicate that the breaches occurred at a company called Loyaltybuild which was providing customer reward services to Musgraves (SuperValu’s parent) as well as to Axa Insurance. If this is the case, I suspect that the two companies are every bit as frustrated with their service provider as the customers whose credit cards may have been compromised, not least because their brands have been damaged by something over which they had little if any control.
I have little doubt that the Data Protection Commissioner and the credit card companies will investigate in detail what went wrong at Loyaltybuild. Billy Hawkes, the commissioner, warned up to 500,000 people across Europe may have been impacted by the breach. Historical credit card information should not be sitting unencrypted on any network: best practice is to store credit card information in encrypted form on a heavily protected subnet, and to dispose of such information as soon as it is no longer required.
It is quite surprising that a sophisticated provider of these services could suffer such an event. An educated guess is this was some kind of unusual lapse — for example someone within the company dumped data out of the protected database, for reasons unknown, and left it exposed by accident. The fact that the stolen data is reported to have been historical (from Jan 2011 to Feb 2012) would suggest it was probably not sitting on the main credit card system when stolen.
To date, the manner in which the breach occurred has not been made public. Currently the most common method of compromising a network is by a hacker sending a person in the company an email infected with a malicious program — a Trojan. Hacks through the web-server are still common enough also, as are hacks through the wireless network. Another common but rarely mentioned problem is the so-called “insider threat”. A large proportion of data thefts are carried out by persons with legitimate access to the information. We also do not yet know how long the data has been compromised for.
Because we do not yet know how long the data was exposed, we also don’t know how long in the past affected credit card users need to check their records. As a precaution, people should check their credit card statements going back two years for any unauthorised or unknown payments.
Fraudulent payments may not be very large. Cyber-criminals do not always “max-out” cards straight away. The hacker may not even use them!, but auction them off. The buyer might then “milk” the card for repeated small payments over a long period of time. This approach would be more likely to avoid the kind of scrutiny the credit card companies now give to large transactions on cards.
Those who have found any doubtful payments on their statement should call their credit card company immediately. Losses due to frauds that occur online usually fall on the card company, unless the card owner has been inexcusably careless with the card information (which in this case would not be true).
The Loyaltybuild incident is reflective of a growing problem for business in general. Although by historical standards it was not very large — Heartland Payment Services lost 110m credit card records in 2007, and there is increasing evidence that Adobe may have lost even more customer records in a recent hack — the Loyaltybuild breach is a very clear example kinds of hazards facing customers and companies in the modern world of e-commerce and outsourced services.
To reduce costs a lot of companies outsource “non-core” services to other specialist providers. Companies require much greater flexibility in the modern business environment and such outsourcing arrangements are increasingly necessary. Unfortunately, it is rare that the computer systems used by these service providers can be as tightly controlled and monitored as a company’s own systems.
I attended a presentation by General Michael Hayden, the former director of the US National Security Agency a few months ago. His view is that it is impossible to fully secure any computer system that is connected to a network. Yet, increasingly, we all must use online services regardless of the risk. Even in the last fortnight we learned that the reason Irish citizens must pay their property tax by credit card two months early is because the Revenue Commissioners are not comfortable holding the credit card information until the New Year.
Where even the Government is no longer certain in its ability to protect card information online, the only advice I can give is to check your monthly card statement. You never know what might be in it.
lMike Harris is IT security and risk services partner at Grant Thornton, and lectures in online security and fraud at University College Dublin’s Cybercrime Institute.