Home Depot Investigates Breach. Slow Adoption Of Chip-And-Pin To Blame?

Another day, another breach.

This time it looks like US DIY chain Home Depot may have been compromised along with the possibility that customer credit and debit card data may have been snatched.

The possible breach was first reported by Brian Krebs who later updated his original post to suggest that the breach may extend back to April or May of this year.

The home improvement chain has subsequently revealed that it is investigating what it refers to as ‘suspicious activity’ and has also confirmed that it is working with “banking partners and law enforcement” as part of its own inquiry into what may have transpired.

Paula Drake, a U.S. spokesperson for Home Depot, said:

“I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate. Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further.”

Krebs, who broke the Target data breach story last year, said that the it was too early to say how many stores may have been affected but the fact that Home Depot has 2,200 outlets means that:

“This breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period.”

If the breach is confirmed, Home Depot would be the latest, and possibly largest, retailer to suffer a loss of sensitive customer information, which may further alarm shoppers who are likely already concerned about the ability of large firms to keep their private data safe.

Krebs said that a number of banks became aware that the chain may have been breached after a massive new swathe of payment card data was made available on underground websites. He added that there are some indications that the alleged attackers in this case may be the same group of Russian and Ukranian hackers that were responsible for the aforementioned Target breach, as well as other high profile compromises at P.F. Chang’s and Sally Beauty. The motivation for the attack, according to Krebs, could be some sort of protest against the US and Europe in the wake of sanctions levied against Russia following its moves into Ukraine.

Whilst data theft is likely to continue within the retail industry I am of the opinion that US firms are more at risk than others right now due to the slow adoption of the chip-and-pin system in America.

Until that system is fully integrated in the US, the fact that magnetic card strips are still scanned as part of the payment process makes them an easier target at the point of sale.

Or, as Ken Westin, security analyst at Tripwire, says:

“It’s safe to say that mega retailer point-of-sale data breaches are approaching the point of an epidemic. These breaches are having a significant impact on consumer trust and many of the retailers still do not fully comprehend the scope or origin of the breaches.

Organized criminal syndicates are actively targeting U.S. retailers simply because they’ve become lucrative targets; these groups take advantage of inherent vulnerabilities in payment architectures and applications, amongst other tactics, to get into these retail chains and siphon data off undetected.

Pretty much all of these retailers have been notified of potential fraud after the fact usually by fraud analysts at financial institutions who detect stolen credit card activity. They then map the activity back to specific retailers as the common point of origin.”

Racing Post Ticked Off But Not Fined By ICO

Last year hackers breached the website of UK newspaper the Racing Post and made off with a whole heap of personal information belonging to over 677,000 customers.

The October attack saw names, addresses, dates of birth, telephone numbers and passwords exposed but the Racing post will not be fined says the Information Commissioner’s Office (ICO).

The ICO said its decision not to levy any financial penalty on the newspaper was a close one, perhaps because its security was found to have been so lax – an investigation discovered that the last penetration test was run in 2007, six years before the SQL injection attack that led to the compromise.

The attack took advantage of existing vulnerabilities in the racingpost.com website which allowed the hackers to access the company’s database of registered users.

The ICO investigation revealed that security around both the website and the customer database was lacking.

Not only had penetration testing ceased in 2007, but regular security patches had been missed since that time too.

ICO Head of Enforcement, Stephen Eckersley, said:

“There is barely a day that goes by without a company being the target of an online attack. This is the modern world and businesses and other organisations must have adequate security measures in place to keep people’s information secure.

“The Racing Post pulled up short when it came to protecting their customers’ information by failing to keep their IT systems up-to-date. This data breach should act as a warning to all businesses that poor IT security practices are providing an open invitation to your customers’ details.”

The Racing post has now signed an undertaking in which it acknowledged its previous lapses and promised it would try to do better in the future.

The Commissioner will now keep a close eye on the Racing Post which will in turn endeavour to keep its security practices current, as well as upgrade from the woefully inadequate unsalted password system it had in place for customers.

Assuming the Commissioner is content with the progress made, no fine will be imposed, saving the Racing Post a potential penalty of up to £500,000 which it could expect for a breach of the Data Protection Act.

(Personally I think this is far too lenient and I do not believe the ICO goes as far as it perhaps could to actually make organisations sit up and think about the consequences of a breach – what do you think?)

Meanwhile punters may wish to investigate the security measures employed by the online establishments they frequent following the news last month that Irish bookmaker Paddy Power was breached with the resulting loss of almost 650,000 customer records. In that case, the bookmaker took a whopping 4 years to declare the incident which one can only assume would have given the bad guys plenty of time to make use of the information in all manner of ways.

The Data Breach – It’s More When Rather Than If

So, you put on the radio (anyone still have one of those old-fashioned things?), switch on the tv, or visit your favourite news website and you see it: another data breach has snaffled all the headlines.

Reported data breaches are becoming ever more common. I say reported because I’m not convinced that they necessarily occur vastly more often than in the past, but I do think that they garner more common inches in the rags and more electrons on the interwebs than they ever did.

That said, the nature of data breaches is shifting.

Not so long ago they affected large companies. Hackers, or organised criminals as they more likely are, were targeting big business with the intention of gathering data from which they could profit in some way. It wasn’t great for those affected of course but at least we could go to bed at night and not worry about our own data falling into the wrong hands.

Nowadays of course the situation is somewhat different. Personal data is being hoovered up via data breaches, either as a side effect or by deliberate design. It’s not just hackers that are stealing that data either, but post-Snowden observations have been covered plenty well enough elsewhere.

The trend which sees the average man or woman in the street become a direct victim of the data breach is an alarming one as it potentially affects so many people.

To put things into perspective, it has emerged today that up to 27 million South Koreans may have had their personal data compromised by a gang that snaffled up website registrations from a variety of sites, including gambling sites, ringtone sites and games sites.

All in, it looks like up to 220 million records may have been stolen by around 16 people who used that info to fraudulently acquire in-game currency and other virtual items for cash.

Worse yet, breached accounts, along with the associated passwords and resident registration numbers, may have been used by third parties as part of a mortgage fraud ring. The guy behind all of this, known simply as Kim, is also said to have sold personal information on to others too.

It’s not the first time this has happened in South Korea either – in 2011 some 35 million people had their personal information exposed after a breach at Cyworld, a local social network. That figure represents almost the entire population of the country.

Whilst south Korea may not be Ireland, Britain or the US, it would still be naive to think that it couldn’t happen in one of those countries, and on a similar scale.

Because for most people it’s not so much if but when.

So what are you doing to lessen the risk of your company being the next victim of the next big data breach? How are you protecting your own personal information on your local computer? What about your online accounts, of which you likely have many? Are they all protected by unique complex passwords? Are they all trustworthy?

Hopefully you are as secure as you can be already but it is worth returning to Mr Snowden. Whatever you may think of him and the way he has leaked certain sensitive information, there is no denying the fact that he has taught us all one thing: if someone wants your data badly enough, they’ll find a way.

No More Security Through Obscurity As Hackers Snaffle 4.5 Billion Records From 420,000 Websites

A Russian hacking group has swiped over a billion usernames and passwords, linked to over half a million email addresses, from what experts have described as poorly secured databases.

The theft, the largest ever of its kind, was discovered by US-based Hold Security which says credentials were stolen from 420,000 websites.

The company’s founder and CEO, Alex Holden, told The New York Times that, unlike the majority of breaches, the gang behind what Hold Security dubs “CyberVor” have gone after a wide spectrum of sites rather than zeroing in on one large company.

Via the dark corners of the web, the hackers gained access to botnet data which revealed websites that were vulnerable to SQL injection attacks. This allowed the attackers to then visit the those sites and harvest data with their primary objective being the gathering of login credentials.

All in, the southern central Russian hackers snaffled up 4.5 billion records though many were duplicates. Overall, Hold Security estimates that the hackers got away with 542 million email addresses and 1.2 billion unique sets of usernames and passwords.

Hold Security has declined to name any of the compromised sites as many have ongoing vulnerabilities and the company has non-disclosure agreements in place, presumably with some of the Fortune 500 sites that were breached.

Hold says that the stolen credentials have not been sold on by the hackers who, instead, appear to be using them to send spam via compromised social networking accounts. This would seem to suggest that at least some of the passwords obtained were either stored in plaintext or were easily cracked.

Companies are now urged to check their systems, looking especially for susceptibility to SQL injection attacks, and this event should further act a reminder to check all aspects of security within the organisation.

Whilst vulnerable companies remain at risk from future attacks, this particular scenario seems focused on individual users who would be well advised to review all their online accounts and change passwords should they have any concerns about the security surrounding any site they are registered with.

When selecting a new password, users should choose something that is hard to guess or crack and we have ten tips to help you do just that (click here).

Commenting on the news, Mark James, security specialist at ESET, highlighted the limitations associated with the way websites authenticate users, as well as the need for companies to disclose data breaches and other security issues in a timely manner, something that unfortunately doesn’t always happen, as seen recently with CatchOfTheDay and Paddy Power:

“This massive stash of personal information has all been harvested from different locations, ranging from purchased data on the black market through to data from botnets. It has also been harvested from smaller websites where the security is possibly not so good.

We often have to submit our data to do so many seemingly simple things like register to read a newspaper online or even order some takeaway food. This data is stored on servers that could have very little security.

Organising all this data into a central repository and then using it to gain access to more systems would point to a very organised gang of thieves. This discovery highlights the need for companies to inform their users as soon as possible if they think their servers have been compromised as our only defence is using different information online.

The only real way of targeting this problem is to not use email addresses as logins. Websites should give you the opportunity to use a login name that you have full control over, rather than just using the same email address across multiple sites. Of course the usual password rules apply, do not re use the same password anywhere, make small simple changes that can be easily remembered by yourself and don’t use dictionary words in your password. Even adding one or two random characters into a dictionary word can throw a brute force word search off course.”

ProofPoint’s Mark Sparshott suggests that businesses should take some responsibility onboard, saying that many are living in a past where security through obscurity still had some merit:

“Most SMEs know they have weak security but do nothing about it because they believe that cybercriminals focus on high profile, high value ‘Targets of Choice’ who are selected specifically and pursued intently.

CyberVor blows this self-denial out of the water as the majority of those businesses breached were ‘Targets of Opportunity’ attacked by automated scripts that launched sophisticated SQL Injection, Spam and Phishing attacks against an endless list of websites and IPs without any knowledge of who they were attacking.”

My own suggestion would be that users need to think carefully about opening new accounts online, querying the company concerned along with why they need the data and how they will secure it. I’d also point out, once again, that anyone creating an online account should be careful not to reuse the same password because, once compromised, it can give an attacker access to all of their accounts. Use different login credentials for every site you visit – its what password managers were made for.

Data Breaches Have Minimal Effect On Consumer Attitude Towards Fraud And Privacy

According to a May 2014 survey by idRADAR, the attitude of the general public towards privacy issues and the risks of fraud are still alarmingly poor.

A national survey of 313 consumers, taken from a broad range of ages and socio-economic groups, discovered that almost four-fifths had taken no action to protect their privacy or guard their financial accounts from fraud, despite the fact that over 260 million people have been victims of data breaches since the goings-on at Target entered the public domain.

Tom Feige, CEO of idRADAR, noted that:

“There is a national data breach epidemic, and consumers shockingly show very few signs of concern. Most are taking no measures to protect themselves.”

The poll, the first in what will be a quarterly affair set to measure consumer trends, showed that the majority of respondents do not even take the time to change their passwords following a breach. Less than 10% of the consumers interviewed make a point of changing passwords on a regular basis and a little under two-thirds admitted that they only change their login credentials when a compromised website forces them to.

Alarming stuff indeed.

The survey also found that around ninety-three percent of those surveyed would expect a breached company to offer them a free credit monitoring service after the fact (a figure that may possibly have been skewed due to the nature of idRADAR’s business). Additionally, 70% of those questioned said they intend to use debit cards in preference to credit cards, despite the additional protections offered by the latter, prompting Feige to say that:

“Clearly, consumers do not want to take responsibility for protecting themselves before or after a serious breach. They want someone else to worry about it.”

Feige also suggests that the malaise amongst consumers means that “they don’t seem to care if their personal privacy rights are threatened,” and that the majority “want to rely on the government to protect them.”

Unfortunately, as we now know, many governments arguably do not have citizen’s best interests at heart at all times. Even so, the subjects of this survey were more concerned (55%) about the threat of data breaches than the potential invasion of their privacy posed by the NSA and other government agencies snooping on their phone calls, browsing habits and email messages.

Which is all a bit ironic really when you consider that the majority of those interviewed are doing nothing about either issue.

As I am sure you are aware, data breaches are big news these days and the indications are that they will continue.

The most recent of those breaches – at auction site eBay – highlights not only the sort of information that gets taken –

  • customer names
  • encrypted passwords
  • email addresses
  • physical addresses
  • phone numbers
  • dates of birth

– but also the challenges faced by large corporations when the proverbial hits the fan. I still know a few people who are yet to receive an email from eBay advising of them the need to change their passwords and, as this survey suggests, such communication would appear to matter not a jot to some people anyway.

The idRADAR survey does offer some incite into why such a situation exists. It comes as no surprise to learn that only 41% of the respondents had heard of the recent Heartbleed bug which ties in with figures produced recently by the Pew Research Center which found awareness of the vulnerability to be equally lacking.

Feige concluded that:

“People are not paying enough attention to this critical problem, and their lack of knowledge on the entire subject is frankly very alarming. Obviously there is a great need for education on this issue.”

And he is absolutely right.

Those readers who work in or around information security will know the importance of security awareness within the business arena. Despite the expertise of top security professionals, such as Brian Honan himself, it is still an area with a lot of development potential in my opinion.

But should security awareness be limited to the corporate sector?

I would argue not, especially after reading surveys such as this one. It appears that many home computer users could benefit from some fairly basic advice on how to stay safe on the internet and how to react to certain scenarios.

Here in the UK we have initiatives such as Cyber Streetwise that offer some early promise, but we need more. And it is not just the individual who would benefit from universal security training either – employees who buy into security to protect their own digital assets would likely think more carefully about how to protect their employer’s data too.

UK Survey: 25 Percent of Breaches Go Undetected for More Than 24 Hours

A new survey from Tripwire, Inc., has discovered that 40% of retail and financial organisations need 2-3 days to detect a breach.

Last Tuesday I met up with detective novel-inspired Dwayne Melancon and other key Tripwire personnel as part of the Eskenzi press lunch that was being held in conjunction with InfoSecurity Europe 2014. The topic of discussion was data breaches, including within the retail sector, the area in which I work when I’m not at my keyboard. That, combined with the recent high profile breaches at the likes of Target and Nieman Marcus, made sure that my curiosity and interest were piqued in equal measure.

As I am sure many of you know, a recent report from the Ponemon Institute has revealed that the costs associated with a breach have risen significantly over the last year, rising 15% to $3.5 million in total. Furthermore, each individual record containing sensitive and confidential information that is lost or stolen is now costing business $145 a time, a year on year rise of 9%. Significantly, the Ponemon Institute also discovered that the probability of a company having a data breach involving 10,000 or more confidential records is 22 percent over a two-year period.

So, given the above, can we expect organisations to be considering the risk of suffering a data breach far more seriously than ever before?

Apparently not, according to Tripwire’s findings.

A survey conducted by Atomic Research, encompassing 102 financial organisations and 151 retail organisations in the U.K., all of which process card payments, indicate that recent data breaches have actually had little impact on the security controls employed by those businesses.

Additionally, 35% of those polled said it would take as long as two to three days to detect a breach on their systems whilst 44 percent admitted that their customer data could be better protected.

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that outlines minimum security requirements for organisations that handle cardholder information. When the surveyed organisations were asked how important PCI compliance is to their overall security program, 43 percent said it was the backbone of their security program, and 36 percent said it was half of their security program.

PCI compliance is not, of course, a silver bullet and, in my opinion, should only be seen as one part of a much broader security program. Even so, it is still interesting to learn that only 11.1% of businesses were fully compliant in 2013 and, as Neira Jones recently told me:

“It has been evidenced in the Verizon PCI Compliance Report 2014 that ‘organisations that are breached tend to be less compliant with PCI-DSS than the average of  organisations in our research'”.

In response to the survey findings, Tripwire’s Tim Erlin, director of IT security and risk strategy, said:

“It is shocking to see the high level of confidence exhibited by respondents in the wake of the recent series of high-profile cardholder data breaches. Sixty percent of respondents said they are confident that their security controls are able to prevent the loss of data files, but this confidence flies in the face of recent evidence to the contrary.”

Other notable findings from the Atomic Research survey include:

  • 24 percent of the organisations polled have already suffered a data breach in which Personally Identifiable Information (PII) was either stolen or accessed by intruders.
  • 36 percent of respondents do not have confidence in their incident response plan.
  • 51 percent of respondents are only somewhat confident that their security controls can detect malicious applications.
  • 40 percent of respondents said they do not believe that recent high profile cardholder breaches have changed the level of attention executives give to security.

Melancon, chief technology officer for Tripwire said:

“It is great that recent breaches have increased cybersecurity awareness and internal dialogue. However, the improved internal communication may be biased by a false sense of security. For example, 95 percent of respondents said they would be able to detect a breach on critical systems within a week. In reality, nearly all of the recent publicly disclosed breaches have gone on for months without detection.”

Melancon added that:

“Furthermore, only 60 percent of respondents believe their systems have been hardened enough to prevent the kind of data loss similar to that seen in recent high profile breaches. These attitudes seem to indicate a high degree of overconfidence or naivete among information security practitioners. I believe a number of these organisations may be in for a rude awakening if their systems are targeted by criminals.”

I’ve said in the past that UK business needs to pay attention to what happened at Target, Nieman Marcus, et al, but there still appears to be much more that could be done to mitigate the data breach risk in this country, including improved controls, better communication, improved security awareness training and, perhaps, more openness and better incident response from those companies that have been breached.

Trustmark Pulls out Of Class-Action Suit Against Target And Trustwave

Last week I wrote about how two banks – Trustmark National Bank of New York and Green Bank of Houston – had come together to file a class action lawsuit against Target, Inc. in the wake of a data breach at the US retailer which saw 40 million credit cards details, and 70 million other personal details, stolen.

Now, however, one of the two banks suing both Target and security vendor Trustwave has pulled out.

Trustmark National Bank filed a notice of dismissal of its claims on Friday. No detail is given as to why the bank has now ceased its action with the notice saying little more than:

“Pursuant to Federal Rule of Civil Procedure 41(a)(1)(A)(i), Trustmark hereby voluntarily dismiss its claims without prejudice to re-filing.”

However, based on a letter from Trustwave to its customers, the real reason why Trustmark ceased its legal action may be due to the former being misnamed in the suit.

After initially declining to identify its customers, or comment on outstanding litigation, Robert J. McCullen, Chairman, CEO and President of Trustwave Holdings, Inc., wrote:

“Dear Customers and Business Partners,

As some of you may know, Trustwave was recently named as a defendant in lawsuits relating to the data security breach that affected Target stores in late 2013.

In response to these legal filings, Trustwave would like to reassure our customers and business partners that these claims against Trustwave are without merit, and that we look forward to vigorously defending ourselves in court against these baseless allegations.

Contrary to the misstated allegations in the plaintiffs’ complaints, Target did not outsource its data security or IT obligations to Trustwave. Trustwave did not monitor Target’s network, nor did Trustwave process cardholder data for Target.”

Even if Green Bank of Houston should dismiss its claims, and there is no indication at this time that it will, the implications of the case still remain highly pertinent.

The banks’ original claim alleged that Trustwave had failed to ensure that Target’s systems were in line with industry standards, having informed the retailer that there were no vulnerabilities on its network shortly before the breach occurred.

Should such a claim be brought before a court in the future, and the judge and/or jury find in favour of the plaintiffs, then the consequences will be far-reaching, with breach victims and their security partners both being at risk of litigation and the subsequent costs associated with the losses incurred by affected financial institutions.

And of course lets not forget the other impacts of a data breach which are numerous, including loss of revenue through a variety of avenues as well as the potential damage to the trust in, and reputation of, the affected company/companies.

Perhaps the breach at Target, as well as other high profile breaches over the last year, will be sufficient to encourage businesses of all sizes to assess their security standing in order to ensure the risks are well managed and as small as possible?

We can but hope…

Banks Sue Target And Trustwave As Data Breach Fallout Continues

Banks impacted by the data breach of Target last year have come together to file a class-action lawsuit against the US retailer. A court filing also names security firm Trustwave as a co-defendant, saying that the firm “failed to live up to its promises or to meet industry standards.”

The breach, which resulted in the theft of at least 40 million customers’ credit card details, as well as 70 million other personal records, arose after an attack at HVAC contractor Fazio Mechanical Services Inc provided a bridge into Target’s own systems.

The plaintiffs in the case – Trustmark National Bank of New York and Green Bank of Houston – claim that the retailer and security company failed to prevent the theft of data.

The lawsuit, which is not the first filed against Target, shows the increasing pressures and potential costs that are increasingly being associated with breaches, which themselves are on the rise.

For their part, the banks are concerned with the costs that they have borne in this case – it is estimated that the cost of issuing new cards to customers that have potentially been affected stands at around $172 million. The plaintiffs also cite future costs, including absorption of fraudulent charges made on stolen cards, lost profits, missed business opportunities and damage to the business as a whole, the total of which could possibly rise to as much as $1 billion.

Trustmark and Green bank have included Trustwave in their lawsuit because they believe that vulnerabilities in Target’s systems remained “either undetected or ignored” in various audits up to September of last year.

Furthermore, the banks claim that the retailer stored “credit and debit card data on its servers for six full days before hackers transmitted the data to a separate webserver outside of Target’s network.” The lawsuit also claims that the breach remained undetected for a period of three weeks, even though Trustwave “provided round-the-clock monitoring services to Target.”

Additional claims levied against Target include the suggestion that the firm was not in compliance with PCI-DSS at the time of the breach, despite the fact that Trustwave claims to provide guidance to millions of businesses on reaching the standard. Also, the filing claims that POS terminals in-store were not protected by any form of antivirus software. Trustmark National Bank and Green Bank also say that the retailer should not have allowed a third party contractor to have access to its network.

Lawsuit aside, the effects on Target don’t make pretty reading either. The company recently announced a fourth quarter fall in profits of 46%. The direct costs of the breach to the company already stand at $61 million with only $44 million of that being covered by cyber insurance. Further significant losses are also to be expected as further costs from fraud become quantifiable and attributed to the business.

All in all then I think it is quite obvious that a data breach is bad news for any business on many different levels, ranging from the obvious financial aspects to potential legal action and, even more importantly, possible damage to reputation.

Whilst its obvious that not every business will be attacked in this way, UK businesses do still have cause for concern.

So have you done everything you can to minimise the chances of your business being breached? Have you trained your staff to look for evidence of attack and to respond accordingly? Is your company looking at its risk management framework and the various standards such as PCI-DSS and ISO 27001? Has your organisation been proactive in preparing an incident response plan should the worst happen?

Target Data Breach Could Have Been Averted If Alerts Had Been Acted Upon

The data breach at Target in November could have been averted, or at least mitigated, if the alerts produced by the retailer’s $1.6m security system hadn’t been initially dismissed.

The breach, the sixth largest in history, saw the loss of 40 million payment card details in addition to 70 million other personal records which has prompted many to question whether companies are doing enough to safeguard important data.

Speaking about the organisation’s security team yesterday, Target spokeswoman Molly Snyder, said that the company logs a huge number of events each week and that,

“a small amount of activity was logged and surfaced to our team. That activity was evaluated and acted upon. Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether, if different judgments had been made the outcome may have been different.”

According to a report from Bloomberg BusinessWeek report, Target were using a newly installed network monitoring tool at the time of the attack. The $1.6m system, provided by FireEye, alerted staff that there was malware on the system on two separate occasions prior to the actual breach occurring. Those alerts were picked up by security personnel in Bangalore, India, who forwarded them to the retailer’s headquarters in Minneapolis but no further action was then taken.

It seems likely, had the alerts received the attention that we now know they merited, that Target would have had several options for dealing with the threat which would have likely prevented the breach altogether, or at least mitigated its impact.

Also, the monitoring system installed by FireEye could have been used to neuter the attack but this did not happen as the capability was not operational at the time due to the newness of the installation which had yet to be tested.

So it looks like Target probably had the technological capabilities to detect and prevent (or at least minimise) the data breach. The reasons why they didn’t aren’t technical in nature though and show why the human element remains key within any organisation.

The Target breach should, hopefully, serve as a wake up call to other retailers in the US to ensure that their defences are robust and, more importantly, that their staff are well trained and security aware enough to recognise signs of intrusion, deal with alerts and actually use the technology at their disposal to deal with any threat.

And, if anyone thinks this is a US-only problem, think again.

As Neira Jones said earlier this week (see her excellent post here):

“Will a retailer data breach happen in the UK/ Europe? Yes, absolutely: e-commerce sites are still a relatively easy target for criminals, but we probably won’t get to hear about it much as disclosure laws are somewhat different over here (that is until the EU data protection regulations come into force…).”

And, just to drive the point home, here is an excerpt from a Facebook posting made by UK retailer Morrisons this very morning:

“We are extremely sorry to inform you that there has been a theft of colleagues’ personal information, which was uploaded onto a website… The information included names, addresses and bank account details of colleagues. This affects colleagues from all levels of the organisation.”

Have you assessed your organisation’s security recently and do you have a pre-planned response should your business become the next victim of a data breach?

New Breach? 360 Million Credentials For Sale On The Black Market

Information security firm Hold Security says it has uncovered credentials from 360 million compromised accounts for sale on the web’s equivalent of the black market.

The US firm, whilst admitting that it does not know where the data originated from or what it can be used to access, said that the treasure trove of information could still pose serious risks to companies and users alike. This, it said, was because the pilfered credentials could include usernames and passwords which, as we all know, tend to get re-used again and again across a user’s whole portfolio of accounts, including their online banking setups.

Analysts at Hold Security uncovered the mass of credentials, believed to have been stolen recently, over the last few weeks whilst studying underground forums where stolen data was being traded. The firm, which was responsible for identifying last year’s massive Adobe breach, also uncovered a staggering 1.25 billion email addresses for sale, presumably to spammers desperate to tempt us with even more pills and potions.

Alex Holden, chief information security officer at Hold Security, told Reuters that 105 million of the records came from one source which could signify a new, massive breach, unless it is secondhand data from an already known attack, such as the one seen recently at Target Corp.

Holden’s own belief is that the cache does indeed come from breaches that are not already in the public domain which raises questions about whether the targets are either, (a) unaware that their systems have been compromised in the first place or, (b) deliberately keeping quiet about an attack.

The security firm, which gathered the data as part of its Deep Web Monitoring services, says that it will communicate with the companies involved, subject to being able to identify them.

What is known is the type of data available for sale with the compromised accounts offering up goodies such as usernames, email addresses and, it seems, unencrypted passwords too. Eeek!

The reason why so much account data is available across the darkest parts of the web seem obvious – data breaches are very much on the rise with Risk Based Security (RBS) reporting that 2013 was a record year with over 800 million records being stolen (more than double the previous record high).

Combining that trend with the average cost of a data breach, estimated to be £2.04m in 2013, according to a Symantec and Ponemon Institute report, and you begin to see why companies need to take the risk of being breached extremely seriously.

Fortunately, the Symantec report also highlighted how firms in the UK and US were able to realise the greatest reduction to the impact of a breach – costs were minimised by having a strong security posture, an effective CISO and an incident response plan.

Other factors that could help mitigate a breach, or reduce the chances of one occurring in the first place include segregating payment card data from other internal networks (it looks possible that one recent breach victim may not have done this, despite the PCI-DSS regulations), improving staff awareness (human error is often a key factor in many cases) and ensuring your systems are secure on an on-going basis.