Bruce Schneier comments on this situation: "Every credit card company is terrified that people will reduce their credit card usage. They're worried that all of this press about stolen personal data, as well as actual identity theft and other types of credit card fraud, will scare shoppers off the Internet. They're worried about how their brands are perceived by the public. And they don't want some idiot company ruining their reputations by exposing 40 million cardholders to the risk of fraud."
Howard Schmidt said: "I think that anytime a breach of security of any size, especially one that contains consumer private information causes executives to ask "Can this happen to us and if so how do we fix it" With the compliance issues taking a bigger role in corporate governance world wide I would expect this to continue to be a board room discussion which will increase security."
And just in time for the holidays, Guidance Software (a self-proclaimed leader in incident response and computer forensics) suffered a breach that will probably get a lot of people fired. The incident during which some 3,800 customer credit card numbers have been stolen, occurred on November 25th but wasn't discovered until December 7th. Did Guidance Software contact their customers immediately? No. In the age where even children use mobile phones, IM and e-mail, they chose to send out notices of the breaches via regular mail. Why? They claim people change e-mail addresses too frequently while the location of the offices stays the same. I guess they think these companies also change their phone numbers all the time. Even if they do, shouldn't they keep an up-to-date database with contact information?
To make things even worse, the company stored customer records in databases that were not encrypted and if that wasn't bad enough they also kept the three digit Card Value Verification (CVV) numbers despite the guidelines by MasterCard and Visa that prohibit the storage of the CVV numbers after a transaction and require the databases to be encrypted. The company says they didn't know these numbers were stored for a longer period of time. I don't know if this makes things better or worse.
Rootkits go mainstream
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.