Genesco, a sports apparel retailer,  is fighting back against the arbitrary multi-million-dollar penalties that credit card companies impose on banks and merchants for data breaches by filing a first-of-its-kind $13 million lawsuit against Visa. While specifics are not fully public, the company maintains that it found packet-sniffing software on its network but never uncovered forensic evidence that the hackers actually stole any card data.

http://www.wired.com/threatlevel/2013/03/genesco-sues-visa/

###

CenPOS, a private cloud, hosted-payment processing network, can reduce PCI burden for retailers. Contact us for more information.

Highlights from the  Global Payments quarterly report  released January 8 2013, reveals that costs related to the 2012 data breach have reached 93.9 million and additional material costs will be incurred in 2013.  The company is still working on PCI DSS certification. The company has not yet been put back on the list of PCI DSS compliant service providers, however, the impact on revenue has been “immaterial”. 

“As a result of this event, certain card networks removed us from their list of PCI DSS compliant service providers. Our removal from certain networks’ lists of PCI DSS compliant service providers could mean that certain existing customers and other third parties may cease using, referring or selling our products and services. Also, prospective customers and other third parties may choose to delay or choose not to consider us for their processing needs. In addition, the card networks could refuse to allow us to process through their networks. To date, the impact on revenue that we can confirm related to our removal from the lists has been immaterial. Also the impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial.    We continue to process transactions worldwide through all of the card networks. We hired a Qualified Security Assessor, or QSA, to conduct an independent review of the PCI DSS compliance of our systems. Our work to remediate our systems and processes is substantially complete. Our QSA is currently evaluating our remediation work. Once the QSA’s evaluation is complete we will work closely with the networks to return to the list of PCI DSS compliant service providers as quickly as possible. Our failure or a delay in returning to the list could have a material adverse effect on our business, financial condition, results of operations and cash flows.”

In addition to the credit card data breach, the “investigation also revealed potential unauthorized access to servers containing personal information collected from merchants who applied for processing services.” Merchant account applications contain sensitive information for identity theft thieves, including business owner social security numbers and home addresses.

Another potential financial blow is the class action suit related to the ‘intrusion’, as Global Payments has identified the breach. “We have not recorded a loss accrual related to this matter because we have not determined that a loss is probable.”

There are multiple bills pending regarding data breach responsbilities and summaries are below. With PCI Compliance never achieving the goal of 100%, can we really expect any better with theses other issues. Government regulation is increasing due to the failure of businesses to self police and protect data they collect.

S. 1535: Personal Data Protection and Breach Accountability Act of 2011

6/7/2011–Introduced.
Personal Data Privacy and Security Act of 2011 – Amends the federal criminal code to: (1) make fraud in connection with the unauthorized access of personally identifiable information (in electronic or digital form) a predicate for racketeering charges, and (2) prohibit concealment of security breaches involving sensitive personally identifiable information. Sets penalties for attempts and conspiracies to commit fraud and related activity in connection with computers. Requires a data broker to: (1) disclose to an individual, upon request, personal electronic records pertaining to such individual maintained or accessed for disclosure to third parties; (2) disclose adverse actions by third parties against an individual; and (3) maintain procedures for correcting inaccuracies and incompleteness in such records. Defines a “data broker” as a business entity that collects, transmits, or provides access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity for purposes of providing such information to non-affiliated third parties on an interstate basis. Establishes standards for developing and implementing safeguards to protect the security of sensitive personally identifiable information. Imposes upon data brokers and business entities civil penalties for violations of such standards. Requires business entities to notify: (1) any individual whose information has been, or is reasonably believed to have been, accessed or acquired, (2) all nationwide consumer reporting agencies if an agency or entity is required to notify more than 5,000 such individuals, and (3) the United States Secret Service and the Federal Bureau of Investigation (FBI) if the number of individuals involved exceeds 10,000.
Authorizes the Attorney General and state attorneys general to bring civil actions against business entities for violations of this Act. Requires the Administrator of the General Services Administration (GSA), in considering contract awards totaling more than $500,000, to evaluate: (1) the data privacy and security program of a data broker, (2) program compliance, (3) the extent to which databases and systems have been compromised by security breaches, and (4) data broker responses to such breaches. Requires federal agency information security programs to include procedures for evaluating and auditing the information security practices of contractors or third party business entities supporting the agency information systems or operations involving personally identifiable information and for ensuring remedial action to address any significant deficiencies. Requires federal agencies to conduct a privacy impact assessment before purchasing personally identifiable information from a data broker.

7/22/2011–Introduced.
Data Breach Notification Act of 2011 - Requires any federal agency or business entity engaged in interstate commerce that uses, accesses, or collects sensitive personally identifiable information, following the discovery of a security breach, to notify: (1) any U.S. resident whose information may have been accessed or acquired, and (2) the owner or licensee of any such information that the agency or business does not own or license. Exempts: (1) agencies and business entities from notification requirements for national security and law enforcement purposes and for security breaches that a risk assessment concludes do not have a significant risk of resulting in harm if specified certification or notice is provided, subject to review by the Secret Service; and (2) business entities which utilize a security program that blocks the use of sensitive personally identifiable information and provide notice of a breach to affected individuals. Requires notifications regarding security breaches under specified circumstances to the Secret Service, the Federal Bureau of Investigation (FBI), the Postal Inspection Service, and state attorneys general. Authorizes the Attorney General to bring a civil action in U.S. district court against any business entity that violates this Act. Sets civil penalties for violations. Amends the Fair Credit Reporting Act to require agencies to include a fraud alert in the file of a consumer that submits evidence of compromised financial information to a consumer reporting agency. Authorizes: (1) civil actions by state attorneys general to enforce this Act, and (2) appropriations for costs incurred by the Secret Service to investigate and conduct risk assessments of security breaches.

You can follow these bills here:  Data Breach Protection US Congress (official list of bills and links)

On May 10th, Iowa Gov. Culver (D) signed a bill (S.F. 2308) that requires businesses and government agencies to notify state residents if the unauthorized access of their computerized personal information is likely to do financial harm.

The new Iowa data breach notification law takes effect July 1, 2011.

Iowa is the 43rd state with some sort of data breach law on the books.

Unlike most state data breach laws, S.F. 2308 does not exempt personal information that is encrypted or redacted from the types of computerized data requiring notice. The new Iowa law, however, contains a risk of harm trigger.

Under S.F. 2308, breach notice “is not required if, after an appropriate investigation or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach.”

The proposed law would allow the state attorney general to seek actual damages on behalf of individuals affected by a data breach incident requiring notification.

A provision in the Iowa bill as introduced which would have made retailers liable to banks for their costs associated with breaches of credit and debit card transaction data was removed from the measure in committee before its formal introduction in the Senate.

In this first article of a series we explore insider theft, related to data breaches,  based on key elements of the Verizon 2011 data breach report.  The number of 2010 data breaches exploded in companies with 11 to 100 employees. A key commonality is simply the opportunity was there.

The 2011 Data Breach Investigations Report (DBIR) is a study conducted by the Verizon RISK team in cooperation with the U.S. Secret Service and the Dutch High Tech Crime Unit.

Who is behind the data breaches?

• 92% external agents
• 17% implicated insiders
• < 1% business partners
• 9% involved multiple parties

How do breaches occur? ?

• 50% involved some sort of hacking
• 49% incorporated malware
• 29% physical attacks
• 17% from privilege misuse
• 11% employe social tactics

What commonalities exist?

• 83% were victims of opportunity
• 92% were not difficult
• 76% of all data was compromised from servers
• 86% discovered by a third party
• 96% were avoidable through simple or intermediate controls
• 89% of victims subject to PCI-DSS had not achieved compliance

End of excerpt. Continue reading for blog author comments.

A healthcare company stores credit card data on servers, unencrpyted. Their excuse? It’s not connected to the actual credit card processing and access is restricted so it’s not a PCI Compliance problem.  See related article Shocking lack of payment processing security in healthcare industry. No data breach yet, but statistically, the company is at great financial risk, including up to  $1.5 million fine for violating the HITECH ACT.

Employees at a car dealer tape passwords next to their computer and in the first unlocked drawer of their desk. Their excuse?  It’s too hard to remember the password and they don’t acknowledge it’s a security issue.

Employees at a retail rental shop have a file folder in plain view of anyone entering the shop containing copies of drivers licenses and the front and back of credit cards. Their excuse? They didn’t know they couldn’t do it and didn’t know of an alternative method that would meet their needs to bill customers if they never returned with the goods.

Think these are exceptions? Businesses everywhere have these problems in some fashion. As each of these examples illustrate,  employee training is essential. Industry wide, merchants are completing  PCI Compliance Security Standards data worksheets. At that point in time, the merchant can be certified PCI Compliant. But without internal enforcement and training, the merchant is generally not compliant when a data breach occurs and thus is fully liable for all the associated fines, fees and damages.

In conclusion, the establishment of training procedures and distribution of data security expectations to employees is essential. Most employees are honest, right? But when companies have lax security policies, it presents an OPPORTUNITY for good employees to break the law.

Here’s three things you can do to mitigate internal employee risk:

1. Create a data security training checklist for all employees handling sensitive data. Update the training and content quarterly or at least once per year. The employee cannot accept credit cards or any sensitive data until they’ve completed training, plus sign and date the checklist.
2. Make data security a formal part of employee performance reviews. Require annual checklist review and signature at the time of performance reviews.
3. Implement a reward system for identifying vulnerabilities of real life practices- whether people, software, or hardware.

Bonus: Implement a hosted payment processing solution with extensive tools to prevent internal fraud. Call for information.

Cyber Criminals Shifting to Smaller, More Opportunistic Attacks; External Attacks, Especially Hacking, on Rise

April 19, 2011

NEW YORK – Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the “Verizon 2011 Data Breach Investigations Report.” These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices.

The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report’s launch in 2008. Yet this year’s report covers approximately 760 data breaches, the largest caseload to date.

According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action.

The report also found that outsiders are responsible for 92 percent of breaches, a significant increase from the 2010 findings. Although the percentage of insider attacks decreased significantly over the previous year (16 percent versus 49 percent), this is largely due to the huge increase in smaller external attacks. As a result, the total number of insider attacks actually remained relatively constant.

Hacking (50 percent) and malware (49 percent) were the most prominent types of attack, with many of those attacks involving weak or stolen credentials and passwords. For the first time, physical attacks — such as compromising ATMs –appeared as one of the three most common ways to steal information, and constituted 29 percent of all cases investigated.

For the second year in a row, the U.S. Secret Service collaborated with Verizon in preparing the report. In addition, the National High Tech Crime Unit of the Netherlands Policy Agency (KLPD) joined the team this year, allowing Verizon to provide more insight into cases originating in Europe. Approximately one-third of Verizon’s cases originated in either Europe or the Asia-Pacific region, reflecting the global nature of data breaches.

“Through our Data Breach Investigations Report series, Verizon continues to provide the industry with a first-hand look at cybercrime around the globe,” said Peter Tippett, Verizon’s vice president of security and industry solutions. “This year, we witnessed highly automated and prolific external attacks, low and slow attacks, intricate internal fraud rings, countrywide device-tampering schemes, cunning social engineering plots and more. And yet, at the end of day, we found once again that the vast majority of breaches can be avoided without extremely difficult, expensive security measures.”

Tippett added: “It is important to remember that data breaches can happen to any business — regardless of size or industry — or consumer, at any place in the world. A good offense remains the best defense. It is imperative to implement essential security measures broadly throughout your security infrastructure, whether that is a small home setup or an expansive enterprise infrastructure.”

U.S. Secret Service Assistant Director A.T. Smith said, “Americans over the past several years have seen the significant impacts data breaches are having on our nation’s financial infrastructure. Today cyber criminals are operating in nearly every civilized nation in the world, exposing Americans’ personal information, either stored or transmitted, to substantial risk.”

Smith added, “By participating in the Verizon 2011 Data Breach Investigations Report, the Secret Service is working closely with our private-sector partners to educate Americans about the threats of cyber criminals. With the help of our Electronic Crimes Task Force partners, such as Verizon, we are studying technologies and trends to prevent and mitigate attacks against critical financial infrastructure.”

The Data Breach Investigation Report (DBIR) series now spans seven years and more than 1,700 breaches involving more than 900 million compromised records, making it the most comprehensive study of its kind.

(NOTE: Additional resources supporting the 2011 Data Breach Investigations Report are available, including high-resolution charts and an audio podcast. B-roll available upon request.)

Key Findings of the 2011 Report

Data from the 2011 report shows that:

• Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.
• Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.
• Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.
• Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and keylogger functionalities.
• Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

Recommendations for Enterprises

The 2011 report found again that the prescription for data breaches is to use simple, essential security practices such as:

• Focus on essential controls. Many enterprises make the mistake of pursuing exceptionally high security in certain areas while almost completely neglecting others. Businesses are much better protected if they implement essential controls across the entire organization without exception.
• Eliminate unnecessary data. If you do not need it, do not keep it. For data that must be kept, identify, monitor and securely store it.
• Secure remote access services. Restrict these services to specific IP addresses and networks, minimizing public access to them. Also, ensure that your enterprise is limiting access to sensitive information within the network.
• Audit user accounts and monitor users with privileged identity. The best approach is to trust users but monitor them through pre-employment screening, limiting user privileges and using separation of duties. Managers should provide direction, as well as supervise employees to ensure they are following security policies and procedures.
• Monitor and mine event logs. Focus on the obvious issues that logs pick up, not the minutia. Reducing the compromise-to-discovery timeframe from weeks and months to days can pay huge dividends.
• Be aware of physical security assets. Pay close attention to payment card input devices, such as ATMs and gas pumps, for tampering and manipulation.

A complete copy of the “Data Breach Investigations Report” is available for download.

About Verizon
Verizon Communications Inc. (NYSE, NASDAQ:VZ), headquartered in New York, is a global leader in delivering broadband and other wireless and wireline communications services to mass market, business, government and wholesale customers. Verizon Wireless operates America’s most reliable wireless network, serving 94.1 million customers nationwide. Verizon also provides converged communications, information and entertainment services over America’s most advanced fiber-optic network, and delivers innovative, seamless business solutions to customers around the world. A Dow 30 company, Verizon employs a diverse workforce of more than 194,000 and last year generated consolidated revenues of $106.6 billion. For more information, visit www.verizon.com.

A Holy Cross Hospital emergency room clerk was convicted for her crimes as part of an identity theft ring. The employee copied patient records which were subsequently used to open credit card accounts. The US Postal inspection Service was alerted after employees noticed debit card mailings with different names being sent to the same address.  Over 525 pieces of mail addressed to a variety of names were found.  See prior article Identity theft at Holy Cross Hospital and securing payments.
Identity theft crime is rampant in South Florida, and this Fort Lauderdale hospital is not alone with data breach risk exposure. A local county hospital completes the intake process for outpatient procedures with semi-private barriers. I.D. is validated and everything done at the desk …except processing the credit card. The employee walks away out of view to swipe the card. Nearby I later learned is a copier. Does this make sense to you?

I contacted the District CFO to inform of the risk and offer a solution. No reply yet. Whether I hear back or not, I sure hope they fix this problem before they have a data breach too.

At Holy Cross Hospital, technicians discovered that Emergency room employee Natashi Orr, 36, had printed basic computerized forms in patient files containing name, address, birth date, diagnosis and other details, officials said. Raushanah Bowleg, 33, Opa-locka, did the same on his job at an Aventura physician office.

At another hospital, the intake process requires all data be entered in the computer directly, and an electronic signature is captured. Yet to accept payment, the cashier walks to another area, out of view from the consumer, and next to a copier.  During this time the card could have been skimmed for the magnetic data or a copy made of the card, both posing considerable risk of identity theft.

While the latter situation has not resulted in a data compromise to my knowledge, the situation is equally dangerous.

3D Merchant Services has a payment processing solution with enhanced features created specifically for hospitals and medical billing companies. Here are a few highlights:

- User level security. Modify, add, and delete users and their permission levels for processing payments for phone/mail and in person. Combined with alerts and other features, prevent internal and external fraud.
- Tokenization. Would you like to re-bill a customer on their initial payment method? Set up recurring billing? Without storing their credit card data? Create a secure token to enable repeat billing. Even if stolen, the tokens are worthless.
- Least cost routing – Attach a signature capture terminal to your PC’s and eliminate human errors that create costly interchange (95% of your payment processing cost) downgrades, plus dynamically determines least cost method to process.

- Reporting. The number one reason CFO’s cite as the reason for implementing immediately. From downloadable financial data to dynamically created graphic reports that quickly show risk mitigation and treasury reports by organization or location, solution delivers what you want, when you want it.
There is no other technology on the market positively impacting compliance, costs, and fraud like this, which is why 98% of organizations that see a demo implement it.

Our solution can be integrated with traditional medical billing and intake systems. The technology platform sits in front of the existing processor.

See also related articles  virtual terminal for medical billing solutions providers and Red Flags Rule for Identity Theft Prevention Programs.