Are Data Breaches Really a Global Problem, or Just America’s?

Google Alerts are awesome. You can easily set up notifications for keywords relevant to your interests, which are delivered straight to your email inbox. At Ground Labs, we are constantly monitoring a small handful of keywords relevant to data security, to stay on top of the latest news and trends.

However, we soon found ourselves being flooded with tens of emails daily for each alert, to the point where we had to change the alert settings to only receive email notifications once a day, instead of whenever data security news was broken. It comes as no surprise that even in the year 2014 (what year did we all start working on PCI?), companies all around the world are still not adequately protecting sensitive customer data.

But is data security really a worldwide epidemic, or is it only a prevalent problem in America?

Lets dive into this rabbit hole some more. Below is a screenshot of a Google Alert for the keyword ‘data breach’. We’ve marked every article with a country flag, based on which country the news revolves around. In the event that articles were not targeting any country specifically, we looked at the country audience the article was written for.

As you can see, within a 24-hour period, there were notifications for 1 Australian, 1 Canadian, 1 South Korean, and a whopping 30 American data breach stories. How about that.

It’s no surprise that American consumers are losing interest in data breach incidents in general, as covered in our previous blog post titled ‘Another Major Retailer Hit By a Data Breach: Does Anyone Care?’. Anyone would get bored reading 30 stories a day about how everyone from retailers to the Government are failing to safeguard sensitive data.

We think that America deserves a fair trial before we lay blame for being lax on data security, though. The verdict is really up to you to decide. Here are some prosecution points:

1. The Symantec Internet Security Threat Report 2014 states that in 2013, the United States was responsible for the loss of nearly 547 million records, making up 66.5% of all exposed records for the year. This year America has outdone itself though, with multiple large retail data breaches affecting Home Depot, Dairy Queen, JPMorgan Chase and more.

2. America is behind its global counterparts for card-present security – Obama only just ordered chip-and-pin technology in Government credit cards, when the technology has been available to over 100 countries, including all across Europe, since 2005.

And in their defense:

1. America has strict data breach notification laws in place that demand breached companies report the incidents publicly. Australia and Europe have data breach notification guidelines, but no concrete rule. Asia has strict notification laws, but does anyone know they exist? Companies in other countries might be facing the largest data breaches imaginable, but we would be none the wiser.

2. America might be winning by scale, but South Korea is worse off in ratio. While 50% of all American adults have had their data breached in the last 12 months (More about that here), the BBC just reported that over 80% of all South Koreans have had their personal data stolen, resulting in the country being forced to issue new identity cards to its citizens, an effort which will cost billions of dollars.

While we understand that Google Alerts may not be the most accurate measurement point (We only receive notifications in English, which skews the results a bit), it certainly can feel that America is always front and center whenever systems gets breached. More has to be done, and soon.

While the rolling out of chip-and-pin technology should greatly help in reducing storefront credit card information theft (the same year it was implemented in France, credit card data fraud went down 80%), that technology is still a little far away from being implemented across all across America until all terminals are changed over which is going to collectively cost merchants more than 2.5 billion dollars. In the meantime, companies are still required to secure any sensitive customer data being handled and should consider a simple yet effective approach – focus your efforts on finding and securing or eliminating customer data on your systems. It won’t matter how secure your system is, hackers can’t steal data if its no longer there.

Ground Labs’ Data Recon does just that, by searching systems for over 95 types of sensitive data, including healthcare information and personal identification and credit card numbers. Once found, you may simply mask, encrypt, quarantine or permanently delete unwanted sensitive data in a matter of seconds, leaving nothing for hackers to steal. It’s an essential layer of security that comes at an affordable price.

Take Data Recon for a free trial today by visiting our website here.

(Image source)

Another Major Retailer Hit By Data Breach: Does Anyone Care?

We remember that a mere few months ago, we would check every day for data breach news, and feel emotions of both alarm and excitement when a recognizable brand stepped up onto the podium of shame. It would be a “stop the presses!” type of fluster, and we would examine the breach from every possible angle, in an effort to understand how it happened and what new lessons can be learned this time round.

However, when we started our week off, someone casually mentioned in an offhand way that Kmart just got breached, and the feeling was emotionless. We’re reasonably certain it has nothing to do with the fact that we’re slowly becoming a more jaded and bitter adults, either. Large breaches are happening over and over again, and it’s happening so routinely that it’s only marginally more interesting than watching yet another iPhone 6 unboxing video on Youtube.

Let’s just break down the Kmart hack facts real quick: just like it’s data breach brothers Target and Home Depot, Kmart was breached via malware. The retailer reported that the breach started in early September and was promptly plugged, but not before debit and credit card numbers were stolen.

Kmart also established that no personal information, debit card PIN numbers, email addresses or social security numbers were obtained by the hackers. In addition, there is no evidence that customers were impacted.

While no figures have been announced on how many credit and debit cards have been compromised, it’s unlikely the losses are going to be as big as Home Depot’s 56 million card breach, which went undetected for 4 months.

None of that feels particularly sensational, and we’re not the only one losing interest in data breach news, either. A new study from YouGov BrandIndex shows that while data breaches are getting bigger and badder, consumers are caring less and less.

YouGov BrandIndex measured Target, Home Depot, and JPMorgan Chase, three large corporations which suffered huge data breaches within the last 10 months, on a Buzz score. The way the Buzz score works is that respondents were asked if they heard anything negative or positive about the brand within the last two weeks. A negative score meant respondents heard mostly bad things about the brand, and that the brand had an overall negative public perception. 100 is the best possible score, and -100 is the absolute worst.

Target, which was hacked in December 2013 in a breach that affected 40 million customers, dropped 49 Buzz points from 20 to -29 in only 8 days.

This year, when Home Depot lost the data of 56 million credit card customers, their Buzz score dropped only 16 points from 22 to 6 in 10 days. And when JPMorgan Chase announced their 76 million household-affecting breach, their score only dipped 13 from a 6 to -7.

Not only are the scores dropping significantly less with each big breach, but the post-breach Buzz score recovery rate is improving as well.

Maybe each company is learning from their predecessor and handling data breach PR more effectively. Maybe many of the affected customers are breach veterans, and they’re adopting the “Keep Calm” meme mentality. Maybe everyone is just getting used to the fact that companies are not capable of protecting their sensitive data. Or it may very well be a combination of all of the above.

The last point is especially worrying, though. Kmart’s press release stated that their store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems. We’re not doubting the legitimacy of that statement at all, but would like to highlight how sad a fact it is that hackers have a technological advantage over the good guys. You don’t hear about criminals with DNA that can’t be detected by crime scene forensic experts, or anti-terrorist groups with less firepower than the terrorists they combat.

Good guys are supposed to have more power, because there are more of us, and we have access to better resources. It brings to mind the scene in Iron Man where Obadiah Stane berates a scientist for not being able to build something Tony Stark could while in a cave with nothing more than a box of scraps.

One important thing to note, though, is that regardless of public perception towards data breaches, they are significantly more expensive to clean up after than to prevent. Here are the latest American figures for data breach costs in 2013 as reported in the Ponemon 2014 Cost of Data Breach Study:

Cost (US$)
Average notification 509,237
Average detection and escalation 417,700
Average post data breach costs 1,599,996
Average loss business costs 3,324,959
Total 5,851,892

Note the word average – in the case of these larger breaches the costs are typically higher, with Target having spent $148 million USD to date.

While public perception affects the business cost loss, it has no bearing on the notification, detection and escalation, or post data breach costs. So even if it’s true that the public doesn’t care much if you get breached, you’re still losing millions.

Even if data breaches are an inevitability, there are two factors you can control, namely your security team’s response time, and the number of records stolen. While it can take months or years to build a strong data security team, securing data records can be done relatively easily. By encrypting or removing your customer’s sensitive data on your systems (which you should not be storing in the first place, according to international data privacy laws), you are leaving nothing for hackers to steal.

Ground Labs’ Data Recon data discovery tool was developed to help you do just that. It searches every corner of your computer system for all kinds of sensitive information, from credit card numbers to personal healthcare information. Once found, you can delete, encrypt, move or mask the data to make the records essentially worthless to hackers. It’s the easiest and safest way to process sensitive customer data.

Take Data Recon for a Free Trial spin today, and find out how simple safeguarding sensitive customer information can be.

(Image sources: 1, 2)

It’s a Toss-Up Whether Your American Household Was Hit By a Data Breach- Can Hackers Be Stopped?

C-3PO once told the immortal Han Solo that the odds of successfully navigating an asteroid field is approximately 3,720 to 1, to which he replied, “Never tell me the odds.”

While Mr. Solo’s approach of ignoring the odds is often preferred by many, here’s a startling statistic that cannot afford to be ignored- more than 50% of all households in the United States were affected by a data breach that occurred at the largest bank in the USA, JPMorgan Chase earlier this year.

The bank confirmed in a regulatory filing that the compromised data impacts approximately 76 million households and 7 million small businesses. For some perspective, there are a little over 120 million households in the US.

The information compromised includes names, addresses, phone numbers and email addresses, as well as internal information to relating to such users.

There are two linings of silver to this grim tale, though- firstly, JPMorgan Chase stated that there is “no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during the attack.” Secondly, as of yet, no unusual customer fraud has been observed on any of the compromised accounts.

Data breaches are incredibly commonplace in the US with reporting in May that half of all US adults were hacked in the last 12 months. Given that two big breaches, the aforementioned JPMorgan Chase incident as well as the Home Depot breach happened after May, it seems likely that that the number of hacked US adults has tipped way over the halfway point by now.

Big banks are a frequent target for hackers- the finance industry was the one with the highest number of security incidents with confirmed data loss in 2013, as reported in the 2014 Verizon Data Breach Report. Hackers are constantly and relentlessly attempting to gain access to the sensitive data stored in their servers, and even the tiniest chink in their armour can prove disastrous.

Staying secure requires the same level of smarts, technology, and persistence that the hackers possess, if not more. It’s a constant battle to stay one step ahead, and unfortunately, as this incident proves, the hackers are getting better at winning.

While up-and-coming security technologies like Apple Pay and EMV tokenization are set to even out the odds in the card present space, there is an immediate and very real need to protect sensitive customer data right now in the present.

If there’s anything we can all learn from this – it’s that no one is immune from hacking. If the biggest bank in the US with one of the largest IT security budgets can still suffer a data compromise, what chance do the rest of us have to avoid the same fate?

Common sense alway prevails and you can’t tackle a complex problem with even more complexity. Bringing it back to basics is the the solution here, and in most sensitive data compromises, the common denominator is personal data. Hackers are out to steal personal data because personal data can be easily monetized.

If this is the case, how do you prevent a compromise from happening? You take away what the bad guys are trying to steal.

So focus on your data – not on your perimeter defences. Ask your security team – what have we done to ensure that in the event a hacker breaks through our network, they’re unable to steal any of the data we’re storing?

Start with that, and you’ll be in a stronger position than most.

To experience how you can easily find sensitive data before the bad guys steal it, take a Data Recon trial today.

Bash Exploit “Shellshock” Puts the Entire World at Risk

Reuters reported recently of a new security bug exploit dubbed “Shellshock”, which has began spreading like wildfire, creating mass hysteria among all who could comprehend the sheer scale of the threat.

Bash(aka the Bourne again shell) is one of the most installed software utilities on many Unix-based systems. A newly discovered exploit in Bash allows Hackers complete access to a targeted system running affected operating systems, including Linux and Mac OS X.

The scale of the attack is nothing short of gargantuan; roughly 67% of all servers on the internet run some form of Unix.

While it’s incredibly terrifying just how grave the exploit is, equally horrifying is how easy it is to take advantage of- the bug has been given a maximum rating of “10” for severity and rated “low” for complexity of explanation. It’s the holy grail of exploits that hackers have been waiting for.

Just off the top of our heads, individuals with malicious intent could quite simply issue a command to a targeted system, telling it to send its entire database full of sensitive personal data to a location the hacker can access. It’s quick, it’s dirty, and above all, it’s easy. Hackers with an imagination could pull off potentially more elaborate and sinister attacks that could go beyond anything we can comprehend.

The bash shell, which is functionally similar to Window’s Command Prompt

Cyber experts are already warning that Shellshock could pose an even bigger threat than the “Heartbleed” bug that arose in April, and it’s not hard to see why. While the Heartbleed bug only allowed hackers to spy on computers, this new threat allows hackers to freely roam in computer systems to do as they please.

Fortunately, Red Hat has released a patch to fix the exploit for Linux, available here (As of the time this article was written, there has been no word on an OS X fix as of yet).

Within Ground Labs, we’ve also taken immediate action to patch our own systems which use any of the affected operating systems, and we would strongly advise all organisations running an affected platform to also take action immediately.

More importantly – if you outsource any function of your business involving the handling of your customer’s sensitive information, then you must ask your outsourcers – what are you doing in response to this latest exploit?

However, the Reuter article mentions the viewpoints of a few other security experts, who claim that the patch is “incomplete”. Chris Wysopal, the chief technology officer with security software maker Veracode, said that their company will “likely be taking other precautions to mitigate the potential for attacks in case the patches proved ineffective”.

This isn’t the first time a major security flaw affecting millions of systems has been found, and it won’t be the last. The core data security philosophy we stand by at Ground Labs reigns especially true for this situation – the best way to protect your customers data is to assume you’re going to be hacked – and then take steps to ensure no sensitive data exists which the bad guys can easily steal.

Ground Labs’ Data Recon makes this exercise simple for organisations of all types. The sensitive data discovery tool scans systems for over 95 types of sensitive customer data, including credit card data, healthcare information and personal identification numbers. Once found, remediation can be performed to either delete, encrypt, mask or move the sensitive data somewhere secure.

If you need to do the same thing on a much larger scale across multiple servers and systems, take Enterprise Recon for a spin. You can search an entire network for sensitive data, and remediate problems from a single central location.

By frequently validating that you’re not storing any sensitive data that hackers are after, you are adding an entirely new layer of security. Many believe that data breaches are inevitable; if that is true, then making sure you’re clear of sensitive data is a solid way to avoid being the next data-breach headline.

Given that the entire world is on the clock to rebuild their defenses, what counts most now is speed. It’s literally a race against hackers for who can patch first vs. attack first.

Make sure you’re the former, and not on the receiving end of the latter.

(Source: Reuters)

(Image source: Open Book Project)

8 for 8: The Eight Notable Data Breaches of August 2014

Last month, the world watched aghast as August became the biggest month ever for data breaches. In one incident alone, over 1.2 billion unique credentials were stolen, in what is arguably the largest data breach to date.

Here’s a breakdown of the eight biggest breaches of August:


No. of Records Lost

Community Health Systems

4.5 million

Homeland Security




Goodwill Industries International Inc.


Various Korean Online Games

220 million

Various Websites

1.2 billion

Dairy Queen


JPMorgan Chase


Not only are the number of records lost phenomenally high, but a majority of the companies involved are recognizable name brands, which further drives home the point that, if the return warrants the effort required, hackers can penetrate and steal data from networks of almost any size or complexity.

The future of data security may seem grim when you look at statistics like these, especially when you take into consideration the number (and scale) of data breaches has only continued to rise for the past few years. We’ve just barely kicked off September, and already we have two big data breach cases in the iCloud celebrity photo hack and the Home Depot data breach, which is already shaping up to be even larger in scale than the notorious 2013 Target data breach which resulted in the loss of 70 million records, and over $148 million in remediation costs.

As with any bad news, there should always be light at the end of the tunnel and in this case, what these very public hacks are doing is reminding the business community to dedicate focus and resources on better data security. The traditional belief that using firewalls and antivirus means your secure is only setting you up to be next in line for the worst.

These situations truly highlight the dangers of handling sensitive data and make us question what is really required to service our customers vs what data should never be stored because there was no real justification in the first place.

Lets hope it doesn’t get worse before it gets better.

Naked Celebrities Highlight Cloud Storage Risks

The Cloud. To many, it’s a mysterious-sounding name for a complex ‘computer thing’. To others, it’s a convenient way to sync devices and share files with friends. But for cyber criminals, it’s a treasure chest of sensitive information just waiting to be plundered.

A few months ago, a movie starring Cameron Diaz and Jason Segel titled ‘Sex Tape’ was released, telling the comedic story of a couple whose sex tape was accidentally synced to the Cloud and subsequently distributed over the internet.

Life occasionally imitates art, as last Sunday evening a huge leak of celebrity nude photos was posted on the imageboard site 4chan, with many reports indicating that Apple’s iCloud service had been breached to procure the images.

However, a more recent report seem to indicate otherwise. It appears that hackers simply wrote a script to brute-force celebrities’ accounts with the top 500 most common passwords approved by Apple. Once the hackers gained access, they had full viewing rights to all of the celebrities’ private data they had synced onto the cloud, including the intimate photos now circulating the web.

The problem with new technologies like the Cloud is how convenient and easy-to-use it seems, so much so that few people take a step back to worry about the possible issues or repercussions of using a storage platform that can be accessed from the public internet. Take these tweets from Mary Elizabeth Winstead, one of the celebrities who had her private photos posted in the recent leak:

While our hearts go out to Ms. Winstead, the impression we have from her tweets is that she was unaware that images deleted on her camera-equipped device had been synced to the Cloud, and hence were still floating about the internet. And judging by the fact that over 20 other celebrities including the likes of Jennifer Lawrence and Kate Upton are now facing the same predicament, it’s pretty clear that she isn’t the only one who was previously oblivious to the potential dangers of using public Cloud storage providers.

Whilst embarrassing to the celebrities affected, what would be of greater concern is the same hackers using this attack to steal sensitive customer data from the millions of businesses currently syncing all their business and customer data to the Cloud.

Today’s business cloud providers offer background synchronisation features that automatically copy the contents of your ‘My Documents’ and other folders. The synchronised data then becomes available via a Cloud storage folder that is publicly accessible from the internet and protected only with a email address and password. Often, businesses are not aware of exactly how much sensitive data is being synchronised automatically, putting them at an even greater risk.

The lesson for any size business is simple: Understand your cloud usage and take steps to validate you’re not inadvertently synchronising sensitive customer data to these providers. If your data gets breached, you stand to lose more than just your modesty; you may be compromising sensitive data of not only you and your employees, but your customers as well. A breach could mean spending large sums of money on remediation fees, in addition to a loss in trust from your valued customers.

Identifying this problem is easier than you think. Ground Labs’ products are designed to search for more than 95 types of sensitive data that you may be storing in your corporate storage repositories, including local sync folders and remote cloud providers. If any sensitive data is found, remediation options can be used to help protect the information against the threat of a data breach.

Visit the Ground Labs website for a free trial of our products to see how easy it can be to secure your sensitive data.

It won’t be your QSA who gets thrown under the data breach bus

data breach qsa

In 2013 more than 800 million records were exposed via 600+ data breaches. This year, in a single data breach incident, over 1.2 billion passwords were stolen, an instant 50% increase over last year.

Cardholder data is no different as the number of data breaches involving CHD remains high despite stricter PCI Compliance guidelines being implemented, fanning the flames of debate about whether the PCI DSS is adequate in protecting consumer cardholder data.

When things go south and it comes time to play the blame game, it’s common for fingers to point straight at the breached company’s affiliated QSA, like how many banks attempted to sue Target’s QSA. Heartland’s CEO made public how he felt QSAs had let him and his company down after they got hacked despite achieving PCI DSS compliance.

But as the world discovered when all the banks eventually dropped the lawsuit, in the event of a data breach its hard to pin the blame on QSAs. But why are QSAs seemingly bulletproof? You invest significant time and effort following the PCI standards, then pay your QSA a reasonable sum of money to come onsite and validate that you were compliant, giving you the ever sought after Report On Compliance stamp of approval. So shouldn’t they be responsible if you’re subsequently breached?

In this blog post, we’re going to address some of the common misconceptions about the roles QSAs play in helping your company become PCI compliant.

1. Achieving PCI compliance does not mean you’re permanently bulletproof.

Some mistakenly believe that being PCI compliant means their company is fully protected from a data breach. Unfortunately, many companies who suffered data breaches were previously deemed PCI compliant.

Does this mean that PCI compliance is worthless? Hardly. PCI DSS is the first global standard that prescriptively guides us towards securing sensitive data. If you think it’s too broad, we recommend you have a read of ISO270001.

What organisation must understand is that PCI compliance reports and the QSAs who create them have limitations, and companies need to be aware of those limitations so that they can set reasonable expectations for their PCI compliance reviews.

QSAs review cardholder data handling practices in a similar way to how financial auditing firms reviews financial transactions. In both scenarios, a third-party expert reviews and tests the company’s policies and procedures, determines whether they meet industry standards, and issues a report. QSAs simply cannot check every transaction and every document within an organization, nor would a company want to pay for such an exhaustive review. And naturally, QSAs cannot anticipate whether or how a company’s data handling practices may change in the future. Instead, just like financial auditors, QSAs rely on the concept of reasonable assurance.

“QSAs can only look at what has occurred in the past….Your QSA can provide management feedback on the appropriateness of [your] controls, but the QSA is not responsible for ensuring that any recommendations on changes to controls are implemented. Changes to controls and the proper functioning of those controls are the responsibility of an organization’s management—not the QSA or anyone else.” –PCI Guru

2. QSAs are not lawsuit scapegoats.

The common, and perfectly understandable mindset of many CFOs is that once they have paid a PCI QSA for their services, including the deliverance of a PCI Compliance report, they shift liability in the event of a Data Breach. However, this couldn’t be further from the truth; every QSA’s responsibility is simply reviewing the company’s practices for handling sensitive cardholder data. Any flaws in those practices remain the sole responsibility of the organisation.

In the rare event that a QSA incorrectly assesses a process as being compliant when the standard would suggest otherwise, handling cardholder data, then he or she may carry some of the blame and may be held partially responsible for a resultant data breach.

One of our Directors, Stephen Cavey, who was on the receiving end of QSA reviews for many years weighs in on this and states, “In the event a QSA reviews a non-compliant situation and does not report it, then it is reasonable to establish that the QSA is at fault for this oversight resulting in some level of liability. However if a merchant hides something or adequate sampling by the QSA did not reveal any issues, then the QSA would not be liable in the subsequent event of a data breach.”

The topic of adequate sampling is an interesting one and something we will reserve for a separate post, but to get back on the original topic, it’s in your vested interests to ensure a thorough and correct sample is reviewed by your QSA – an inadequate or over-simplistic sample is not going to do you any favours.

However, in the vast majority of cases, data breaches can be traced to flaws in data handling procedures and/or human error after compliance was achieved. In those cases, responsibility and liability lie squarely with the company that suffered the data breach, regardless of what was stated in the PCI compliance report.

3. A “clean” PCI Compliance Report is not your end goal. Security is.

In the same way that many people study for a Diploma, Bachelor’s Degree or other certification just to meet employability standards, too many companies view achieving a “clean” PCI Compliance Report as their end goal, mistakenly believing that it will protect them from any and all data breaches. Achieving PCI compliance is an important and necessary goal, but it does not fully provide carte blanche protection.

When executives forget that their primary goal should be protecting cardholder data, they begin to blindly pursue a positive PCI compliance report, at any cost. Companies with this mindset may try to hide weaknesses in their cardholder data practices so that they cannot appear on the QSA’s report. Others may choose to discount the QSA’s assessment and select a different, less thorough QSA who is prepared to sign off on a position that other QSAs wouldn’t approve of. For a short time, the company may be pleased with its “clean” PCI compliance report, but in fact its systems are left highly vulnerable to a data breach.

QSAs who tacitly agree to issue a positive PCI compliance report without addressing the underlying questions of whether a company is PCI compliant are not doing the company any favors. In fact, they are a liability, and your organization would be well served by avoiding working with such QSAs.

Those with a short-term perspective change their QSA frequently. They may not like the QSAs negative assessment of the company’s infrastructure and may resent the additional work required to address the QSA’s findings. But they lose sight of the fact that identifying and addressing weaknesses in cardholder data handling practices is actually extremely beneficial in the long run.

4. Your QSA won’t take the hit for you in the event of a breach, but they don’t want you to get hit either.

Many companies view QSAs as an enemy, actively looking for flaws in systems and putting them through the arduous process of achieving PCI compliance. If you think about it, QSAs have reasons to be personally invested in ensuring your system is secure; it’s bad for business if word gets out that your client was hit. You must view your QSA for the ally that it is, and work in tandem with it to safeguard your sensitive customer data. After all, they’re working for you!

A responsible company should choose a QSA who is tough, but fair. Companies should actively seek out QSAs who search high and low for every possible weakness (within the boundaries of the QSA review standards) and present suggestions for addressing those weaknesses. Some QSAs may have a reputation for being unreasonable and unrealistic, but most QSAs are exceptionally good at identifying relevant weaknesses and the risk that those weaknesses could be exploited for a data breach.

It’s all on you, so choose wisely.

If a data breach occurs, all that matters is that you were the cause of it. Your brand will be tarnished in the public reports, and your customers will be vulnerable. You will be responsible for any liabilities or fines that are issued, and it will be too late to start pointing the finger at anyone else once the word is out in the public domain.

Fortunately, a good QSA will help you to minimize the risk of a data breach by identifying weaknesses in your cardholder data handling practices so that you can mitigate those risks.

Just as you would not rely solely on an external auditor to check your accounts, the burden of responsibility falls on you and your security team to hold down the fort once the calvary have left. In the event of a data breach you could try passing off the blame to your QSA, but are you confident you’ll succeed where all others have failed?

(Image sources: 1, 2, 3, 4)

Asia, stop ignoring PCI compliance and take data security seriously

Are Asian companies adequately guarding the gates to their sensitive customer data?

Is Asia as a region well-prepared to combat the threat of data breaches? Short Answer: No.

This much is evident when you look at some simple facts, like how only 23 out of 346 of the certified QSA companies service the Asia Pacific region, or how many credit card receipts in Asia are still printed with the full customer’s PAN.

It comes as no surprise that when Asian companies are hit by data breaches, they are hit hard; In this study, 40% of the Asian companies surveyed reported significant losses from having suffered data breaches in the past. South Korea alone accounted for four of the five top breaches worldwide and a total loss of 158 million records in the first quarter of 2014.

Just this month, 16 suspects were arrested in South Korea on charges of illegally distributing the personal records of 27 million online game players. The ringleader made off with roughly $390,000 from selling the data he stole.

So why aren’t enough companies in Asia taking the looming threat of data breaches seriously? It could have something to do with the fact that only 7% of the data breaches which occurred in Q1 of 2014 came from the Asian region, dwarfed by the American region’s sizeable chunk of the data breach pie with 78%. Most of the high profile cases we read about in the news take place in America or Europe, sporting brand names we recognise. For too many companies in Asia, data breaches feel like a distant problem, and safeguarding data figures low on their priority lists; staying true to the Chinese idiom ‘勤俭办企业(Qín jiǎn bàn qǐ yè)’, encompassing the belief that businesses must be run diligently and thriftily.

This is a very dangerous mindset given history has shown that hackers always start with low-hanging fruit – Verizon reported that in 2012, 76% of data compromises they studied were achieved using low difficulty attack methods, which include password guessing and the like. If Asia lags too far behind the rest of the world in data security measures, the global cyber criminal community will turn its attention to Asian companies more voraciously, and for many, counter-action will come too late.

On the same note, PCI Guru wrote this excellent post 4 years ago, which is sadly still relevant today, talking about how Asia is backward in its view of credit card data security. In the article he lamented how an Asian business actually had to fight with the bank for the right to mask their customer PANs printed from POS machines.

It’s not all bad news for Asia, though- the region still trumps the US in terms of EMV adoption, having implemented the standard since 2004, while the major credit card brands have only recently pushed forward their EMV migration plans for the US.

In a positive light however, a large data communications company, Pacnet, announced their achievement of PCI DSS 2.0 certification across their Asia Pacific regional offices, a certification not often seen in the region. Interestingly enough, even after much digging there was no similar news available online, aside from the same few public announcements.

Of course, it is entirely possible that other companies are simply not advertising their PCI DSS compliance, to which we ask- why not? It’s a great way to let customers know you’re committed to making data security a business focus, without being specific about what your defenses are.

In just a matter of months, though, PCI Compliance will be more strictly enforced than ever before. As stated in this previous blog post, failure to comply with PCI standards will result in recurring non-compliance fines being incurred, assuming the hackers don’t get to you first- the average cost per compromised record for 2013-2014 is $213.

Do we really need more large-scale data breaches to happen in the region before companies start taking data security seriously? Many experts in the region we met at the MasterCard Risk Management Conference Series in KL seem to think so. It’s only a matter of time before someone in the region is hit by the metaphorical tsunami of data breaches, which will force companies in the region to take notice.

Our advice for Asian companies: Reconsider your priorities for data security and PCI compliance. The small sum saved by not taking action is easily dwarfed by the cost and consequence of a data breach. Don’t wait around to find out what that could mean – demonstrate PCI compliance early to protect your customers and your business.

To take your first step towards data security, start with a free trial of Ground Labs’ PCI Compliance tools on our website here.

Avoid Taking Gambles with Data Security

The Irish-based gambling firm Paddy Power announced on 31 July that they suffered a data breach in 2010, resulting in hackers plundering the personal details of 649,000 customers.

While no credit card data was stolen, the infiltrators made off with personal information of Paddy Power customers, including their names, addresses, and dates of birth.

According to public reports, Paddy Power reacted to the breach in 2010 by upgrading its technology infrastructure, however by then the damage had been done; Paddy Power not only had to pay large fees to clean up the proverbial personal information oil spill, but is now faced with the prospect of reputational damage. Even for their clientele who are some of the biggest risk takers, the idea of having their personal information stolen is enough to make many people fold.

Beyond the data breach itself, the obvious problem here is the 4 years it took for affected customers to be notified. Even the Irish government has expressed disappointment in Paddy Power for taking such a long amount of time. Based on this, many will be watching to see what flow-on effects may occur in relation to Ireland’s Data Protection rules.

The incident is a stark reminder for businesses across Ireland, the UK and broader Europe that hacking is a growing profession and European companies are a ripe target. Hacking offers large potential gains and as the ease at which stolen data can be acquired only continues to increase, so grows the risk of suffering a data breach. A recent study shows that data breaches pose a greater risk than ever before, and for good reason.

Personal information is worth more than you would think on the black market; even a single paired name and a date of birth can be sold for $11, and a royal straight flush of personal information, also known as a Fullz, is worth up to $40 per record. If the hackers who infiltrated Paddy Power’s network ever sold all 649,000 of the personal information they stole, they would be making more money than most of the people who win in one of Paddy Power’s lotteries.

The key message here is that when it comes to data security, reaction is pointless; proaction is the only way to keep sensitive data safe. Ground Labs has built its technologies around this thinking, to help prevent the unfortunate scenario of suffering a data breach from happening to any businesses dealing with sensitive customer data.

The approach is simple: If you know where your sensitive customer data is, only then can you take steps to secure it using encryption, tokenization, or the best protection of all: Deletion. Like with many organisations who use our products come to learn, the biggest threat isn’t the data storage you already know about, it’s the vast amounts of customer information you don’t know about which don’t have any security controls around. The best course of action is to delete it, because Hackers can’t steal what’s not there.

The tool we offer to help identify and secure sensitive customer information is Data Recon. Data Recon enables companies to search their systems for sensitive data such as names, addresses, passport numbers, and more, and then take actions to secure that data.

Once the data is found, you can choose to permanently delete it, encrypt it, quarantine it or even mask cardholder data if you find it.

It’s a simple way to keep from being the next privacy data breach headline because after all, hackers can’t steal what isn’t there.

Read more about our Data Recon and other data discovery tools on our website here.


Data source: Dell Secureworks

Visited a Doctor or Hospital Lately? You Personal Data May Already Be in the Hands of a Hacker

Your local hospital may be doing a good job of keeping patients virus-free, but are they doing the same for their computer systems?

Security of sensitive data within the Healthcare industry has received critieral attention lately as a number of hospitals, surgeries and healthcare providers have been reported to suffer security breaches over the past 24 months.

It’s certainly nothing to sneeze at- an increasing number of healthcare organisations are facing an increasing need to keep sensitive data secure, whether it’s Protected Health Information (PHI), payment card details, or personal employee information.

The reason why this situation exists is simple- the healthcare industry is as big as they come, and when data breaches take place, it can affect anywhere between one patient to 10 million. Information protection is more important than ever before, but not enough healthcare organisations are taking it as seriously as they should. Its a classic yet dangerous mentality that exists – if we haven’t been breached, then we must be secure.

Below are some practices suggested by Health IT Security to strengthen information in the healthcare supply chain:

1. Identify all business associates and third parties by auditing each functional area within the healthcare organization and mapping what individuals and entities have access to PHI as well as Personally Identifiable Information (PII).

2. Prioritise resources on managing third party risk based on:

A. How important is the third party to patient safety or the financial health of the covered entity?

B. Who is storing information? There is often a greater risk associated with the third parties that are storing information than with those who only have access to it.

3. Ask third parties about their measures in place to protect confidential information and detect/respond to security incidents. Request third party security audit reports from critical vendors and/or create a security assessment process for evaluating and managing this risk.

4. Ensure third parties are in compliance with HIPAA Security and Privacy Rule protection requirements and that they are aware that any subcontractors used are also held to these standards.

5. Integrate this vetting methodology in the standard onboarding procedures for new vendors and third parties. Also, third parties should be continuously evaluated, at least annually, but especially in the event of an ownership change such as a merger or acquisition.

To assist in making many of the above steps simpler and to also enable your 3rd parties to generate evidence of safe PHI and PII storage practices, Ground Lab’s Data Recon was designed specifically for this requirement. It enables system owners to search for PHI as well as a wide-range of other sensitive data types across a broad range of corporate data repositories, and then offer some features to remediate and secure any sensitive data found. It’s core brief is to be simple yet accurate, and ensures that complying with HIPAA and other medical industry compliance initiatives won’t lead to any stress-related illnesses.

Read more about our Data Recon and other data discovery tools on our website here.

Source: Healthcare IT Security

Image source: Drossman Gastroenterology