Adult Friend Finder Breached, Millions Of Records Exposed

Casual dating website Adult Friend Finder, which boasts some 63 million users across the globe, has warned customers that their personal data may be at risk following what appears to be a massive leak.

The breach, which is believed to have exposed around 3.6 million or more records, is currently being investigated by police.

Compromised information is said to include usernames, email addresses, post codes, email addresses, IP addresses and details of people who have indicated they are looking for an extramarital affair.

Californian FriendFinder Networks says it is aware of the “seriousness” of the potential breach which appears to affect both current and deleted user accounts.

Given the nature of the site, and the fact that other personal details such as sexual preferences were leaked, the potential damage to affected users could be severe, as pointed out by Tripwire’s Director of Security and Product Management, Tim Erlin:

Aside from the known value of compromised personal details on the dark web, there’s certainly the potential for blackmail from this breach. If any high profile, public figures or politicians have been using Adult Friend Finder, they might consider how the details they entered there could be used against them.

Commenting on Twitter, our very own Brian Honan came to much the same conclusion:


Further details about the breach remain few and far between at the moment with the California company merely telling Channel 4 News that it “understands and fully appreciates the seriousness of the issue” and has “already begun working closely with law enforcement and have launched a comprehensive investigation with the help of leading third-party forensics expert”. The company also vowed to take the necessary action to protect its affected customers.

While the lack of further information may be frustrating, especially to anyone who has ever signed up to Adult Friend Finder, it is hardly surprising. As Erlin says:

It’s become a standard pattern to see these breach announcements with minimal details, followed by more information as investigators get involved. It’s not unusual for the scope of a breach to expand as forensics experts are engaged and gain access to data.

So what’s next if you are a victim?

While it is hardly clear-cut at the moment, the experience of one user may give some insight. Shaun Harper says he has been targeted with malware-laden emails since his details were published (you can check whether yours have been leaked here), even though he had already deleted his account and believed all of his information had been removed.

I’d suspect that in addition to infected emails and the aforementioned potential for blackmail, there is also a very strong likelihood that personal information will be sold on to companies and individuals with an interest in creating user profiles, not to mention an increase in personalised phishing emails hitting inboxes.

As Ken Westin, Senior Security Analyst at Tripwire says

The Internet has essentially become a database of You. As more data is breached, this information can be sold in underground markets and can create a very vivid profile of an individual.

Depending on the type of information that is compromised this data can be used to link aliases to other accounts via email or other shared attributes and unveil connections to accounts that were not seen until now. An example would be a politician that may have created an account using a fake name, but used a known email address for their login details, or a phone number that can be mapped back to their real identity, this is an example of how data like this can lead to further blackmail and/or extortion by a malicious actor seeking to profit from this type of information.

It is also highly likely that affected customers will see an increase in junk email over the next few weeks too – as the stolen records began to circulate on the dark web, hackers said they intend to spam compromised email addresses.

Twenty-Five Million Plus Two Reasons Not To Ignore The Data Breach Risk

A few years ago data breaches weren’t all that common or, if they were, they certainly weren’t being reported with quite the same regularity that they are now.

Nowadays, it seems like another big company is getting hit just about every week – but let us not forget that smaller breaches are also a regular occurrence too.

So what are you doing to mitigate the risk of a breach affecting your organisation?


Hmmm…in that case, this post is for you then as I detail just two incidents from the last week that really ought to have you sitting bolt upright, considering the various costs associated with becoming the next data breach casualty.


Firstly, there was the news that one of the biggest mobile carriers in the US – AT&T – had been slapped hard by the Federal Communications Commission (FCC).

Between 2013 and 2014 a series of breaches at call centres in Mexico, Colombia and the Philippines led to the unauthorised disclosure of personal data, including names and Social Security numbers, of some 280,000 US customers.

The FCC’s investigation revealed that over 40 call centre employees had collectively accessed the records so that third parties could submit handset unlocking requests through AT&T’s online portal. According to an FCC official, many of the handsets in question appeared to have been stolen.

As a result of the breach the carrier – which is the second largest in the US – was ordered to hand over $25 million, the largest civil penalty ever handed out in respect of privacy and data security enforcement action.

AT&T was also ordered to file regular compliance reports to the FCC and the company also voluntarily took on the added expense of notifying all impacted customers as well as offering them a year of free credit monitoring.

But it’s not just large settlements that large companies should fear in the wake of a data breach – reputational damage can be an equally big issue.

White Lodging Services

Take White Lodging Services, for example.

The Indiana-based company provides hotel management services across 14 properties, putting it on an altogether different scale to AT&T, but its business may have been damaged just as much by the news that it has suffered a payment card breach.

Can you imagine how prospective customers must feel, knowing that the company’s point-of-sale systems were compromised between 20 March, 2013 and 16 December of the same year?

Not great, I bet, though the relatively small size of the company may have kept it out of the largest news circles.

Unfortunately for White Lodging Services, some things in the past refuse to stay there, as its systems were again compromised on 27 January this year.

The company says the latest attack is not related to the previous one and it’s hard to tell whether customers should be reassured or increasingly worried about that to be honest.

That the company’s POS systems could be compromised once is worrying but perhaps not entirely surprising, given how the likes of Target, Home Depot and Neiman Marcus have all suffered a similar fate in the recent past.

But twice?

Something is going on here and, in the absence of further information from the company or comment from law enforcement, it’s hard to say what.

In any event, I would suspect that potential customers of White Lodging Services may well have heard the news by now and may be considering their next moves and whether they may be better off staying elsewhere.

That’s not to say that the company has done anything wrong – it may just have been the unfortunate victim of a very skilled attacker (twice, no less) – but the consequences may ultimately be no less damaging than the penalty handed to AT&T.

So, again, the question is, what are you doing to mitigate the risk of a data breach – a crime not limited to the United States – affecting your firm? And do you have an incident response prepared in case the worst does happen?

PCI What? Ex-Home Depot Staff Told Friends To Use Cash Not Cards

The story behind the Home Depot breach continues to unravel bit by bit and as the pieces of the jigsaw start to fit together, the resulting picture doesn’t look pretty.

Not one bit.

According to an article in the New York Times, the situation appears to have been little more than shambolic in my opinion, with former staff and security team members telling the publication that defence mechanisms were out of date and that security response was lacking.

The timeline appears to have started around seven years ago when the company began employing Symantec antivirus 2007, only to never subsequently update it. The New York Times also reports that networks were not consistently monitored for signs of attack and that system and vulnerability scans were not only performed erratically, but were also not all-encompassing as security staff were blocked from checking certain systems, including those associated with handling customer information.

The fact that the company failed to perform even the most basic of scans on a regular basis, in conjunction with more than 12 customer information databases being outside of their remit, is alarming, if not surprising, to me at least.

Whether the company complied with payment card rules (it says it has since 2009) that mandate that such a large retailer should conduct comprehensive scans at least quarterly is unknown, as is the question of whether Home Depot employed the services of QSAs to regularly test compliance, but the allegations put forward by former employees certainly suggest the answer may be a resounding no.

In fact, things were so bad at Home Depot that employees reportedly left the company after being told by managers that the chain “sell[s] hammers” when they asked for new software and training.

Even when the company did make a positive step in 2012 by hiring a computer engineer, Ricky Joe Mitchell, to help oversee security at its 2,200 stores, things didn’t exactly go to plan – he was subsequently arrested and banged up for 4 years in a federal jail after he was found to have deliberately wiped the servers at his previous company.

Former security staff at the chain told the New York Times that their confidence in the company’s IT systems was so low that they even resorted to telling friends to avoid using credit cards to make payments, instead recommending cash as a safer alternative.

The company did react eventually though, bringing in experts from Voltage Security, but only after the Target breach was discovered. The move to roll out EMV credit card security and the deployment of encryption across company systems came too late though as the attackers had already gained entry to the systems, leading to the theft of 56 million customers’ payment cards. Such a haul eclipses the 40 million that were snaffled during the Target breach. Experts have already seen some information for sale on carder forums and the total value of the stolen data has been estimated to be worth up to $3 billion.

And, as if things couldn’t get any worse, Home Depot’s email to customers, advising them of the breach, has only just gone out, long after most of the world heard the news from other sources.

Also, as you can see, its somewhat short of useful, actionable advice:

Dear Valued Customer,

As you may have heard, on September 8, 2014, we confirmed that our payment data systems have been breached, which could potentially impact customers using payment cards at our U.S. and Canadian stores. On September 18, 2014, we confirmed that the malware used in the breach has been eliminated from our U.S. and Canadian stores and that we have completed a major payment security project that provides enhanced encryption of payment data at point of sale throughout our U.S. stores, offering significant new protection for customers. There is no evidence that debit PIN numbers were compromised or that checks were impacted. Additionally, there is no evidence that the breach has impacted stores in Mexico or customers who shopped online at

We are offering customers who used a payment card at a Home Depot store in 2014, from April on, 12 months of free identity protection services, including credit monitoring, beginning on September 19, 2014. We apologize for the frustration and anxiety this may cause you and we thank you for your patience during this time.

For more information, please visit our website where you’ll find frequently asked questions, helpful tips, our Important Customer Notice, and information about how to take advantage of the free identity protection services, including credit monitoring. Should you have questions regarding the authenticity of this email or any additional questions over the coming days and weeks, please call 1-800-HOMEDEPOT.

We hope this information is useful and we appreciate your continued support.

The Home Depot

How do you rate Home Depot’s incident handling and response in this case?

Home Depot Investigates Breach. Slow Adoption Of Chip-And-Pin To Blame?

Another day, another breach.

This time it looks like US DIY chain Home Depot may have been compromised along with the possibility that customer credit and debit card data may have been snatched.

The possible breach was first reported by Brian Krebs who later updated his original post to suggest that the breach may extend back to April or May of this year.

The home improvement chain has subsequently revealed that it is investigating what it refers to as ‘suspicious activity’ and has also confirmed that it is working with “banking partners and law enforcement” as part of its own inquiry into what may have transpired.

Paula Drake, a U.S. spokesperson for Home Depot, said:

“I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate. Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further.”

Krebs, who broke the Target data breach story last year, said that the it was too early to say how many stores may have been affected but the fact that Home Depot has 2,200 outlets means that:

“This breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.”

If the breach is confirmed, Home Depot would be the latest, and possibly largest, retailer to suffer a loss of sensitive customer information, which may further alarm shoppers who are likely already concerned about the ability of large firms to keep their private data safe.

Krebs said that a number of banks became aware that the chain may have been breached after a massive new swathe of payment card data was made available on underground websites. He added that there are some indications that the alleged attackers in this case may be the same group of Russian and Ukranian hackers that were responsible for the aforementioned Target breach, as well as other high profile compromises at P.F. Chang’s and Sally Beauty. The motivation for the attack, according to Krebs, could be some sort of protest against the US and Europe in the wake of sanctions levied against Russia following its moves into Ukraine.

Whilst data theft is likely to continue within the retail industry I am of the opinion that US firms are more at risk than others right now due to the slow adoption of the chip-and-pin system in America.

Until that system is fully integrated in the US, the fact that magnetic card strips are still scanned as part of the payment process makes them an easier target at the point of sale.

Or, as Ken Westin, security analyst at Tripwire, says:

“It’s safe to say that mega retailer point-of-sale data breaches are approaching the point of an epidemic. These breaches are having a significant impact on consumer trust and many of the retailers still do not fully comprehend the scope or origin of the breaches.

Organized criminal syndicates are actively targeting U.S. retailers simply because they’ve become lucrative targets; these groups take advantage of inherent vulnerabilities in payment architectures and applications, amongst other tactics, to get into these retail chains and siphon data off undetected.

Pretty much all of these retailers have been notified of potential fraud after the fact usually by fraud analysts at financial institutions who detect stolen credit card activity. They then map the activity back to specific retailers as the common point of origin.”

Racing Post Ticked Off But Not Fined By ICO

Last year hackers breached the website of UK newspaper the Racing Post and made off with a whole heap of personal information belonging to over 677,000 customers.

The October attack saw names, addresses, dates of birth, telephone numbers and passwords exposed but the Racing post will not be fined says the Information Commissioner’s Office (ICO).

The ICO said its decision not to levy any financial penalty on the newspaper was a close one, perhaps because its security was found to have been so lax – an investigation discovered that the last penetration test was run in 2007, six years before the SQL injection attack that led to the compromise.

The attack took advantage of existing vulnerabilities in the website which allowed the hackers to access the company’s database of registered users.

The ICO investigation revealed that security around both the website and the customer database was lacking.

Not only had penetration testing ceased in 2007, but regular security patches had been missed since that time too.

ICO Head of Enforcement, Stephen Eckersley, said:

“There is barely a day that goes by without a company being the target of an online attack. This is the modern world and businesses and other organisations must have adequate security measures in place to keep people’s information secure.

“The Racing Post pulled up short when it came to protecting their customers’ information by failing to keep their IT systems up-to-date. This data breach should act as a warning to all businesses that poor IT security practices are providing an open invitation to your customers’ details.”

The Racing post has now signed an undertaking in which it acknowledged its previous lapses and promised it would try to do better in the future.

The Commissioner will now keep a close eye on the Racing Post which will in turn endeavour to keep its security practices current, as well as upgrade from the woefully inadequate unsalted password system it had in place for customers.

Assuming the Commissioner is content with the progress made, no fine will be imposed, saving the Racing Post a potential penalty of up to £500,000 which it could expect for a breach of the Data Protection Act.

(Personally I think this is far too lenient and I do not believe the ICO goes as far as it perhaps could to actually make organisations sit up and think about the consequences of a breach – what do you think?)

Meanwhile punters may wish to investigate the security measures employed by the online establishments they frequent following the news last month that Irish bookmaker Paddy Power was breached with the resulting loss of almost 650,000 customer records. In that case, the bookmaker took a whopping 4 years to declare the incident which one can only assume would have given the bad guys plenty of time to make use of the information in all manner of ways.

The Data Breach – It’s More When Rather Than If

So, you put on the radio (anyone still have one of those old-fashioned things?), switch on the tv, or visit your favourite news website and you see it: another data breach has snaffled all the headlines.

Reported data breaches are becoming ever more common. I say reported because I’m not convinced that they necessarily occur vastly more often than in the past, but I do think that they garner more common inches in the rags and more electrons on the interwebs than they ever did.

That said, the nature of data breaches is shifting.

Not so long ago they affected large companies. Hackers, or organised criminals as they more likely are, were targeting big business with the intention of gathering data from which they could profit in some way. It wasn’t great for those affected of course but at least we could go to bed at night and not worry about our own data falling into the wrong hands.

Nowadays of course the situation is somewhat different. Personal data is being hoovered up via data breaches, either as a side effect or by deliberate design. It’s not just hackers that are stealing that data either, but post-Snowden observations have been covered plenty well enough elsewhere.

The trend which sees the average man or woman in the street become a direct victim of the data breach is an alarming one as it potentially affects so many people.

To put things into perspective, it has emerged today that up to 27 million South Koreans may have had their personal data compromised by a gang that snaffled up website registrations from a variety of sites, including gambling sites, ringtone sites and games sites.

All in, it looks like up to 220 million records may have been stolen by around 16 people who used that info to fraudulently acquire in-game currency and other virtual items for cash.

Worse yet, breached accounts, along with the associated passwords and resident registration numbers, may have been used by third parties as part of a mortgage fraud ring. The guy behind all of this, known simply as Kim, is also said to have sold personal information on to others too.

It’s not the first time this has happened in South Korea either – in 2011 some 35 million people had their personal information exposed after a breach at Cyworld, a local social network. That figure represents almost the entire population of the country.

Whilst south Korea may not be Ireland, Britain or the US, it would still be naive to think that it couldn’t happen in one of those countries, and on a similar scale.

Because for most people it’s not so much if but when.

So what are you doing to lessen the risk of your company being the next victim of the next big data breach? How are you protecting your own personal information on your local computer? What about your online accounts, of which you likely have many? Are they all protected by unique complex passwords? Are they all trustworthy?

Hopefully you are as secure as you can be already but it is worth returning to Mr Snowden. Whatever you may think of him and the way he has leaked certain sensitive information, there is no denying the fact that he has taught us all one thing: if someone wants your data badly enough, they’ll find a way.

No More Security Through Obscurity As Hackers Snaffle 4.5 Billion Records From 420,000 Websites

A Russian hacking group has swiped over a billion usernames and passwords, linked to over half a million email addresses, from what experts have described as poorly secured databases.

The theft, the largest ever of its kind, was discovered by US-based Hold Security which says credentials were stolen from 420,000 websites.

The company’s founder and CEO, Alex Holden, told The New York Times that, unlike the majority of breaches, the gang behind what Hold Security dubs “CyberVor” have gone after a wide spectrum of sites rather than zeroing in on one large company.

Via the dark corners of the web, the hackers gained access to botnet data which revealed websites that were vulnerable to SQL injection attacks. This allowed the attackers to then visit the those sites and harvest data with their primary objective being the gathering of login credentials.

All in, the southern central Russian hackers snaffled up 4.5 billion records though many were duplicates. Overall, Hold Security estimates that the hackers got away with 542 million email addresses and 1.2 billion unique sets of usernames and passwords.

Hold Security has declined to name any of the compromised sites as many have ongoing vulnerabilities and the company has non-disclosure agreements in place, presumably with some of the Fortune 500 sites that were breached.

Hold says that the stolen credentials have not been sold on by the hackers who, instead, appear to be using them to send spam via compromised social networking accounts. This would seem to suggest that at least some of the passwords obtained were either stored in plaintext or were easily cracked.

Companies are now urged to check their systems, looking especially for susceptibility to SQL injection attacks, and this event should further act a reminder to check all aspects of security within the organisation.

Whilst vulnerable companies remain at risk from future attacks, this particular scenario seems focused on individual users who would be well advised to review all their online accounts and change passwords should they have any concerns about the security surrounding any site they are registered with.

When selecting a new password, users should choose something that is hard to guess or crack and we have ten tips to help you do just that (click here).

Commenting on the news, Mark James, security specialist at ESET, highlighted the limitations associated with the way websites authenticate users, as well as the need for companies to disclose data breaches and other security issues in a timely manner, something that unfortunately doesn’t always happen, as seen recently with CatchOfTheDay and Paddy Power:

“This massive stash of personal information has all been harvested from different locations, ranging from purchased data on the black market through to data from botnets. It has also been harvested from smaller websites where the security is possibly not so good.

We often have to submit our data to do so many seemingly simple things like register to read a newspaper online or even order some takeaway food. This data is stored on servers that could have very little security.

Organising all this data into a central repository and then using it to gain access to more systems would point to a very organised gang of thieves. This discovery highlights the need for companies to inform their users as soon as possible if they think their servers have been compromised as our only defence is using different information online.

The only real way of targeting this problem is to not use email addresses as logins. Websites should give you the opportunity to use a login name that you have full control over, rather than just using the same email address across multiple sites. Of course the usual password rules apply, do not re use the same password anywhere, make small simple changes that can be easily remembered by yourself and don’t use dictionary words in your password. Even adding one or two random characters into a dictionary word can throw a brute force word search off course.”

ProofPoint’s Mark Sparshott suggests that businesses should take some responsibility onboard, saying that many are living in a past where security through obscurity still had some merit:

“Most SMEs know they have weak security but do nothing about it because they believe that cybercriminals focus on high profile, high value ‘Targets of Choice’ who are selected specifically and pursued intently.

CyberVor blows this self-denial out of the water as the majority of those businesses breached were ‘Targets of Opportunity’ attacked by automated scripts that launched sophisticated SQL Injection, Spam and Phishing attacks against an endless list of websites and IPs without any knowledge of who they were attacking.”

My own suggestion would be that users need to think carefully about opening new accounts online, querying the company concerned along with why they need the data and how they will secure it. I’d also point out, once again, that anyone creating an online account should be careful not to reuse the same password because, once compromised, it can give an attacker access to all of their accounts. Use different login credentials for every site you visit – its what password managers were made for.

Data Breaches Have Minimal Effect On Consumer Attitude Towards Fraud And Privacy

According to a May 2014 survey by idRADAR, the attitude of the general public towards privacy issues and the risks of fraud are still alarmingly poor.

A national survey of 313 consumers, taken from a broad range of ages and socio-economic groups, discovered that almost four-fifths had taken no action to protect their privacy or guard their financial accounts from fraud, despite the fact that over 260 million people have been victims of data breaches since the goings-on at Target entered the public domain.

Tom Feige, CEO of idRADAR, noted that:

“There is a national data breach epidemic, and consumers shockingly show very few signs of concern. Most are taking no measures to protect themselves.”

The poll, the first in what will be a quarterly affair set to measure consumer trends, showed that the majority of respondents do not even take the time to change their passwords following a breach. Less than 10% of the consumers interviewed make a point of changing passwords on a regular basis and a little under two-thirds admitted that they only change their login credentials when a compromised website forces them to.

Alarming stuff indeed.

The survey also found that around ninety-three percent of those surveyed would expect a breached company to offer them a free credit monitoring service after the fact (a figure that may possibly have been skewed due to the nature of idRADAR’s business). Additionally, 70% of those questioned said they intend to use debit cards in preference to credit cards, despite the additional protections offered by the latter, prompting Feige to say that:

“Clearly, consumers do not want to take responsibility for protecting themselves before or after a serious breach. They want someone else to worry about it.”

Feige also suggests that the malaise amongst consumers means that “they don’t seem to care if their personal privacy rights are threatened,” and that the majority “want to rely on the government to protect them.”

Unfortunately, as we now know, many governments arguably do not have citizen’s best interests at heart at all times. Even so, the subjects of this survey were more concerned (55%) about the threat of data breaches than the potential invasion of their privacy posed by the NSA and other government agencies snooping on their phone calls, browsing habits and email messages.

Which is all a bit ironic really when you consider that the majority of those interviewed are doing nothing about either issue.

As I am sure you are aware, data breaches are big news these days and the indications are that they will continue.

The most recent of those breaches – at auction site eBay – highlights not only the sort of information that gets taken –

  • customer names
  • encrypted passwords
  • email addresses
  • physical addresses
  • phone numbers
  • dates of birth

– but also the challenges faced by large corporations when the proverbial hits the fan. I still know a few people who are yet to receive an email from eBay advising of them the need to change their passwords and, as this survey suggests, such communication would appear to matter not a jot to some people anyway.

The idRADAR survey does offer some incite into why such a situation exists. It comes as no surprise to learn that only 41% of the respondents had heard of the recent Heartbleed bug which ties in with figures produced recently by the Pew Research Center which found awareness of the vulnerability to be equally lacking.

Feige concluded that:

“People are not paying enough attention to this critical problem, and their lack of knowledge on the entire subject is frankly very alarming. Obviously there is a great need for education on this issue.”

And he is absolutely right.

Those readers who work in or around information security will know the importance of security awareness within the business arena. Despite the expertise of top security professionals, such as Brian Honan himself, it is still an area with a lot of development potential in my opinion.

But should security awareness be limited to the corporate sector?

I would argue not, especially after reading surveys such as this one. It appears that many home computer users could benefit from some fairly basic advice on how to stay safe on the internet and how to react to certain scenarios.

Here in the UK we have initiatives such as Cyber Streetwise that offer some early promise, but we need more. And it is not just the individual who would benefit from universal security training either – employees who buy into security to protect their own digital assets would likely think more carefully about how to protect their employer’s data too.

UK Survey: 25 Percent of Breaches Go Undetected for More Than 24 Hours

A new survey from Tripwire, Inc., has discovered that 40% of retail and financial organisations need 2-3 days to detect a breach.

Last Tuesday I met up with detective novel-inspired Dwayne Melancon and other key Tripwire personnel as part of the Eskenzi press lunch that was being held in conjunction with InfoSecurity Europe 2014. The topic of discussion was data breaches, including within the retail sector, the area in which I work when I’m not at my keyboard. That, combined with the recent high profile breaches at the likes of Target and Nieman Marcus, made sure that my curiosity and interest were piqued in equal measure.

As I am sure many of you know, a recent report from the Ponemon Institute has revealed that the costs associated with a breach have risen significantly over the last year, rising 15% to $3.5 million in total. Furthermore, each individual record containing sensitive and confidential information that is lost or stolen is now costing business $145 a time, a year on year rise of 9%. Significantly, the Ponemon Institute also discovered that the probability of a company having a data breach involving 10,000 or more confidential records is 22 percent over a two-year period.

So, given the above, can we expect organisations to be considering the risk of suffering a data breach far more seriously than ever before?

Apparently not, according to Tripwire’s findings.

A survey conducted by Atomic Research, encompassing 102 financial organisations and 151 retail organisations in the U.K., all of which process card payments, indicate that recent data breaches have actually had little impact on the security controls employed by those businesses.

Additionally, 35% of those polled said it would take as long as two to three days to detect a breach on their systems whilst 44 percent admitted that their customer data could be better protected.

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that outlines minimum security requirements for organisations that handle cardholder information. When the surveyed organisations were asked how important PCI compliance is to their overall security program, 43 percent said it was the backbone of their security program, and 36 percent said it was half of their security program.

PCI compliance is not, of course, a silver bullet and, in my opinion, should only be seen as one part of a much broader security program. Even so, it is still interesting to learn that only 11.1% of businesses were fully compliant in 2013 and, as Neira Jones recently told me:

“It has been evidenced in the Verizon PCI Compliance Report 2014 that ‘organisations that are breached tend to be less compliant with PCI-DSS than the average of  organisations in our research'”.

In response to the survey findings, Tripwire’s Tim Erlin, director of IT security and risk strategy, said:

“It is shocking to see the high level of confidence exhibited by respondents in the wake of the recent series of high-profile cardholder data breaches. Sixty percent of respondents said they are confident that their security controls are able to prevent the loss of data files, but this confidence flies in the face of recent evidence to the contrary.”

Other notable findings from the Atomic Research survey include:

  • 24 percent of the organisations polled have already suffered a data breach in which Personally Identifiable Information (PII) was either stolen or accessed by intruders.
  • 36 percent of respondents do not have confidence in their incident response plan.
  • 51 percent of respondents are only somewhat confident that their security controls can detect malicious applications.
  • 40 percent of respondents said they do not believe that recent high profile cardholder breaches have changed the level of attention executives give to security.

Melancon, chief technology officer for Tripwire said:

“It is great that recent breaches have increased cybersecurity awareness and internal dialogue. However, the improved internal communication may be biased by a false sense of security. For example, 95 percent of respondents said they would be able to detect a breach on critical systems within a week. In reality, nearly all of the recent publicly disclosed breaches have gone on for months without detection.”

Melancon added that:

“Furthermore, only 60 percent of respondents believe their systems have been hardened enough to prevent the kind of data loss similar to that seen in recent high profile breaches. These attitudes seem to indicate a high degree of overconfidence or naivete among information security practitioners. I believe a number of these organisations may be in for a rude awakening if their systems are targeted by criminals.”

I’ve said in the past that UK business needs to pay attention to what happened at Target, Nieman Marcus, et al, but there still appears to be much more that could be done to mitigate the data breach risk in this country, including improved controls, better communication, improved security awareness training and, perhaps, more openness and better incident response from those companies that have been breached.

Trustmark Pulls out Of Class-Action Suit Against Target And Trustwave

Last week I wrote about how two banks – Trustmark National Bank of New York and Green Bank of Houston – had come together to file a class action lawsuit against Target, Inc. in the wake of a data breach at the US retailer which saw 40 million credit cards details, and 70 million other personal details, stolen.

Now, however, one of the two banks suing both Target and security vendor Trustwave has pulled out.

Trustmark National Bank filed a notice of dismissal of its claims on Friday. No detail is given as to why the bank has now ceased its action with the notice saying little more than:

“Pursuant to Federal Rule of Civil Procedure 41(a)(1)(A)(i), Trustmark hereby voluntarily dismiss its claims without prejudice to re-filing.”

However, based on a letter from Trustwave to its customers, the real reason why Trustmark ceased its legal action may be due to the former being misnamed in the suit.

After initially declining to identify its customers, or comment on outstanding litigation, Robert J. McCullen, Chairman, CEO and President of Trustwave Holdings, Inc., wrote:

“Dear Customers and Business Partners,

As some of you may know, Trustwave was recently named as a defendant in lawsuits relating to the data security breach that affected Target stores in late 2013.

In response to these legal filings, Trustwave would like to reassure our customers and business partners that these claims against Trustwave are without merit, and that we look forward to vigorously defending ourselves in court against these baseless allegations.

Contrary to the misstated allegations in the plaintiffs’ complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target’s network, nor did Trustwave process cardholder data for Target.”

Even if Green Bank of Houston should dismiss its claims, and there is no indication at this time that it will, the implications of the case still remain highly pertinent.

The banks’ original claim alleged that Trustwave had failed to ensure that Target’s systems were in line with industry standards, having informed the retailer that there were no vulnerabilities on its network shortly before the breach occurred.

Should such a claim be brought before a court in the future, and the judge and/or jury find in favour of the plaintiffs, then the consequences will be far-reaching, with breach victims and their security partners both being at risk of litigation and the subsequent costs associated with the losses incurred by affected financial institutions.

And of course lets not forget the other impacts of a data breach which are numerous, including loss of revenue through a variety of avenues as well as the potential damage to the trust in, and reputation of, the affected company/companies.

Perhaps the breach at Target, as well as other high profile breaches over the last year, will be sufficient to encourage businesses of all sizes to assess their security standing in order to ensure the risks are well managed and as small as possible?

We can but hope…