Card Numbers Any More
2011 Data Breaches Signal the Need
for a Different Protection Strategy
Executive Summary
Recent data breaches have shown that hackers are no longer only seeking financial information, but are targeting personally identifiable information (PII) such as email addresses, health data, proprietary company information, that is highly valuable to cybercriminals yet vastly underprotected. This shift is a reflection of the improved security measures companies have put in place to protect financial information; however, the recent data breaches are clear evidence that the corporations and smaller targets are not placing the same level of security on PII. This report will look at the malicious attacks on Epsilon, Sony and Citigroup and dissect each data breach with an eye on how they occurred, how they could have been prevented and what companies can do moving forward to ensure that PII is properly secured.
Report
There certainly has been plenty of activity to keep security observers busy this year with the massive breaches at Citigroup, Sony, Epsilon (the world’s largest email marketer) and the high-profile attacks by notorious hacker groups LulzSec and Anonymous. Underlying this hyperactivity amongst the cybercriminal fraternity is a clear trend towards targeted attacks and automated attacks.
According to the 2011 edition of Verizon’s annual Data Breach Investigation Report, conducted in cooperation with the US Secret Service, 92% of all data breaches were the result of penetration of corporate defenses by external attacks, up 22% from the previous year’s report. The most depressing data to emerge from this report was that, despite the fact that 92% of attacks were relatively unsophisticated, 96% of them were estimated to have been preventable without difficult or expensive corrective action. That is a stunning indictment of the data protection methods used by corporations today, even in the face of strict regulatory requirements.
It’s not just the criminals who are expanding their range of activities. Corporations are also broadening the target by establishing vast cloud-based data centers – without necessarily realizing that securing the cloud and securing the data that’s stored in the cloud are far from being the same thing. While no one would disagree that placing a robust perimeter defense around cloud storage is essential, the sad reality is that someone is always going to find a way to break through that defense. Just ask Dropbox – since they don’t encrypt any of the data they host.
The Ponemon Institute also regularly conducts surveys around the state of data security. In 2009, the latest period for which breach cost data are available, Ponemon found that the cost of a data breach per compromised record was $204, with legal defense costs up by more than 50% as a factor in those costs. Even more interesting perhaps was the discovery that financial institutions no longer represented the highest cost by industry, indicating that criminals had discovered easier prey.
Most mandatory regulations have focused on the protection of financial data – primarily credit card and bank account numbers – and rightly so. Credit card numbers have become widely used as the central identifier in customer records; large retail organizations typically stored credit card data in every critical business processing system. By acquiring rafts of credit card numbers, criminals could go on rapid and expensive shopping sprees, covering their tracks and moving on before law enforcement could identify them.
But those regulations, most notably PCI DSS, have been in place for some time now, and the majority of organizations, at least those storing significant amounts of customer credit card data, have established robust defenses against cyber-thieves. PCI DSS compliance, however, is neither easy nor cheap, so many smaller merchants do remain vulnerable. A survey conducted by the Ponemon Institute and Tripwire in 2010 revealed that the average annual cost to comply with financially focused regulations for a large multinational organization was $3.5M, or $222 per employee (though that number was dwarfed by the potential cost of non-compliance – a whopping $9.4M average, or $820 per employee).
It’s clear that, in the arena of financial data protection, a lot of money is being thrown at the problem, which naturally makes it the number one focus for the majority of information security vendors. So the criminal fraternity has started looking elsewhere for lower-hanging fruit, and it seems like they’ve found it in the form of email addresses.
This shouldn’t be a surprise. Phishing is the fastest growing tactic used by cybercriminals to extract valuable data, since bank and credit card information has become so much harder to get directly. And why is that? Because phishing focuses on the weakest link in any security chain – people. People naturally trust names and information that are familiar and expected.
In the case of the Epsilon (the largest distributor of permission-based email in the world) and Sony breaches, the thieves acquired exactly the kind of information that allowed them to abuse this trust – email addresses and first names of people who had opted in to receive information from specific organizations. So when a user receives a nicely formatted email that’s not only personalized but comes from a site he or she registered with, there’s a good chance they’ll click links and answer questions they might not have done had the request arrived in a less familiar form.
Notes Securosis analyst Mike Rothman, “Targeted attacks [spear phishing] is now more profitable than bulk spam, so you don’t have to be a brain surgeon to figure out what the focus of the bad guys is going to be.”
From Encryption to Tokenization
Historically, businesses have turned to encryption as their first choice for protecting sensitive data, implementing central key management systems to control access to that data. But encryption systems are notoriously complex to deploy and implement, leaving them vulnerable to hacker attacks. Then along came PCI DSS and its extensive – and, as noted above, expensive – compliance requirements.
But if that credit card data is replaced with tokens, close to 50% or more of your systems could potentially be taken out of scope, because what are being stored are tokens – totally random replacement values for the credit card numbers that retain all the essential characteristics of those numbers without compromising security. This means that the requirement to encrypt databases and archives no longer applies. Thus there is no need to manage huge numbers of encryption keys, and stringent access control requirements go away.
According to Gartner Vice President and Distinguished Analyst Avivah Litan, “Tokenization is a very hot topic among Gartner clients who have to comply with PCI DSS. After all, by not storing electronic cardholder data, ‘most’ enterprises are eligible for a greatly reduced set of PCI requirements as contained in SAQ [Self Assessment
Of course, tokenization doesn’t do away with all the security requirements of PCI DSS, but it does have the potential to put a significant dent in those multi-million dollar compliance costs. Even for smaller merchants who can self-assess, tokenization reduces the workload.
But tokenization has the potential to go beyond the protection of credit card data to secure all types of personally identifiable information such as email addresses, dates of birth, and health records (HIPAA), compliance being at least as important as PCI in the world of data protection. Those (many) organizations – including multiple government agencies - whose customer records were not built around financial transactions, used Social Security or driver license numbers as those pivotal customer identifiers that glued each customer’s information together. The most notorious example of this is probably health insurance organizations, which until very recently routinely reproduced social security numbers on their customers’ insurance cards, unnecessarily exposing them to many people who did not need that information in order to perform their jobs.
By tokenizing key PII information such as SSNs, which are rarely actually needed for information processing tasks, organizations can significantly reduce the risk of loss or theft of that information without impacting operations.
Dissecting Recent Attacks
On April 1st 2011, Epsilon, a subsidiary of Alliance Data Systems that provides email marketing services to some of the world’s largest corporations, announced that names and email addresses had been “exposed by an unauthorized entry into its email system.” While the size of the breach – 2% of the client base – seems small, Epsilon is the world’s largest email marketing corporation, with 250 million email addresses on file, and the customer lists for 50 of its corporate customers made up that 2%. Those corporate customers included BestBuy, CitiBank, Disney, JP Morgan Chase, Home Shopping Network, Marriott Hotels, Barclay’s Bank, and Hilton. That’s a significant haul for the phishers to go to work on.
While Epsilon has not revealed details of how the breach occurred, Jonathan Zittrain, a professor of law at Harvard Law School and co-founder of the Berkman Center for Internet & Society, believes the breach should never have happened. “The right security controls — or overall architecture, not keeping a Ft. Knox of email addresses lazily on the Internet, even behind a password — could have prevented this.”
Epsilon has since partnered with Verizon to improve its cloud security, implemented more stringent access control through two-factor authentication, and is working with Internet service providers (ISPs) to “build an unprecedented anti-phishing solution.” According to Ulf Mattsson, CTO at Protegrity, “While these are all steps in the right direction, these actions do not address the fundamental issue of securing data in the cloud. However strong the perimeter may be, if it’s breached and the data inside that perimeter is ‘in the clear,’ we’ll see exactly the same outcome.”
As a result of the breach, Alliance Data Systems’ stock price dropped five percent but has since recovered; no information has been published as to the impact on those whose information was compromised.
At the beginning of June 2011, Sony Pictures Entertainment admitted that
approximately 37,500 users had personally identifiable information stolen in an attack the prior week on its website. This latest breach came hot on the heels of the major attack in March of this year in which the PII, credit, and debit card data for more than 100 million users of the PlayStation and Online Entertainment Networks, including minors, were compromised.
By mid-June, three New York PlayStation Network users had filed a federal lawsuit alleging that Sony spends ‘lavishly’ to secure its own intellectual property while cutting corners in protecting the personal data of its customers. The plaintiffs accuse Sony of negligence, privacy violations and breach of contract, claiming that the company does not follow industry best practices to protect customer data. Another lawsuit against the company filed in California contends that Sony did not encrypt personal data and failed to take other basic security precautions. Some 17 additional legal actions are pending across the United States.
On April 27th 2011, the company posted an official Q&A on the breach on its PlayStation blog. Included was the following statement:
All of the data was protected, and access was restricted both physically and through the
perimeter and security of the network … The personal data table, which is a separate
data set, was not encrypted, but was, of course, behind a very sophisticated security
system that was breached in a malicious attack.
And there it is – a robust perimeter, but the data inside the perimeter was not protected - textbook illustration of why perimeter security alone for PII is an inadequate solution.
The company’s stock market value has dropped by more than 30% since March 2011, but the full extent of the damage will probably never be known, as it appears Sony lacked the tools and technology needed to conduct a full forensic audit on the incidents.
As well as being included in the Epsilon breach earlier this year, Citigroup’s unfortunate customers were also in the direct line of fire on May 10th 2011, when some 360,000 credit card numbers, representing 1% of the company’s customer base, were stolen along with PII. The discovery was made during “routine monitoring” – not as the result of any alert from Citi’s existing security systems.
Tom Wills, a fraud analyst at Javelin Strategy & Research, comments that “The biggest damage for Citi is probably going to be reputational, because the hackers apparently didn’t pull enough customer data to commit out-and-out fraud. But I won’t be surprised to see it used in phishing and other social-engineering attacks - or aggregated with other compromised customer data to commit fraud, which is the bad guys’ modus operandi these days.”
And according to an official company statement, “The customers’ account information [such as name, account number and contact information, including email address] was viewed. However, data that is critical to commit fraud was not compromised: the customers’ social security number, date of birth, card expiration date and card security code [CVV].”
Hardly reassuring when one considers that, as noted by Wills at Javelin, the information exposed was more than enough to enable hackers to embark on an extensive phishing campaign amongst the victims.
One additional significant fact to emerge from dissecting these attacks is that all three
companies took exactly the same path to alerting customers about the breach: they
sent them emails …
The latest danger: breach fatigue
Not a threat in the expected sense, but the danger with all of these breaches appearing one after the other is that consumers and – more dangerously – employees at affected organizations – begin to take it for granted that breaches are just part of life, and they’ll just clean up and move on.
While breach fatigue is not a factor for banks and other financial institutions since security is so key to retaining customers, other types of businesses like Sony and Epsilon are being impacted by the shift from financial information to PII.
According to Neal O’Farrell, founder of the Identity Theft Council, part of the problem is “lack of accountability following an incident. When a retailer is breached, for instance, consumers don’t stop shopping there. The businesses don’t see any long-term damage, so they don’t think it will hurt customer trust. There are so many data breaches, it’s easy for these companies to dodge the bullet of customer anger, fueling the sense of apathy.”
Combine apathy with budget cutbacks and you have the ideal conditions for hackers to go phishing.
How to avoid a breach
To maximize protection for PII and eliminate the risk of brand and financial damage resulting from breaches, corporations would be well-advised to consider the following best practices:
1. Treat PII data as if it were financial information. Since there are fewer regulations and available guidelines on protecting PII data, look to more established regulations and apply their guidelines. By protecting PII as you would financial information, you will ensure that you have the best security measures in place to mitigate the next breach. Organizations can refer to publically available guidelines, such as PCI DSS 2.0, to establish an internal PII data security policy that is run by the corporate security office.
2. Know where your data is going and protect the data first and foremost. Most companies have focused their data protection strategies on protecting the network where the data is stored, rather than protecting the actual data. Start with an internal data classification audit that walks through your data flow for your internal business processes, as well as all external processes with third party vendors, to identify all potentially sensitive data. Outsourcing your database hosting duties does not mean that you’ve outsourced liability.
3. Audit your data flow, and your vendors. Once you know your data flow and have classified the data, you need to ensure that any vendors with access to the data comply with your standards for data security. At a minimum, you need to know what type of security solution your third party firm is using for data in transit and data at rest, and
4. Ensure separation of duties. Creating a separation of duties between the corporate security office and the database administrator will ensure that no single individual or group controls access to information in the database without oversight of the CSO. This separation of duties should also be established between the CSO and anyone who administers IT systems through which data flows.
5. Apply appropriate protective measures to your PII. While Epsilon did not disclose the type of data security solution it was using when its servers were breached, the company reportedly was not using encryption.
Organizations need to actively monitor emerging data security solutions because it’s clear that older technologies such as access control, masking, and hashing are no longer sufficient. At a minimum, PII should be protected with up-to-date encryption techniques; however, tokenization provides the strongest and most cost-effective data security available today.
Protegrity Tokenization – the right approach for today’s data protection
The explosion of cloud computing and heightened regulatory requirements for securing sensitive data have created a huge challenge for businesses that traditional encryption and older tokenization technologies are hard-pressed to meet.While industry analysts and security experts all agree on the advantages of tokenization in helping companies comply with PCI-DSS and other data security regulations, there are several perceived problems with traditional approaches – they have a significant impact on IT system performance, frequently take months to deploy, and cannot easily scale across multiple data categories.
Unlike these other tokenization methods that involve large, constantly growing token servers with massive amounts of encrypted data, Protegrity Tokenization allows for the removal of encrypted data from the token server, creating a very small system footprint that makes it less complex and expensive to manage. For example, the maximum number of records stored in a Protegrity token server is 4 million, compared to 50 million with other approaches. This size reduction reduces the complexity and related costs associated with compliance. Additionally, because Protegrity Tokenization processes more than 200,000 tokens per second compared to 20 tokens per second with other
approaches, it offers higher performance and greater scalability. In addition, Protegrity Tokenization can be deployed in a matter of days without the assistance of an army of expensive consultants.
Also, as more organizations move their IT infrastructure to the cloud, Protegrity Tokenization can help protect data stored in cloud environments. Because the cloud introduces additional risk by decreasing administrators’ ability to control the flow of sensitive data, exposure of encryption keys becomes particularly vulnerable. This in turn means that organizations need to be considering more secure data protection technologies like tokenization to prevent thieves from being able to do anything with data if they manage to break through the cloud’s perimeter security. According to one satisfied Protegrity customer, the Security Project Manager at a major oil and gas retail operation, “this is one of those few cases where a solution ended up the way the sales guys said it would occur – and it’s saved us a lot of time and money.”
In conclusion
Securosis analyst Adrian Lane put it best when he summed up the value of tokenization this way: “Risk is reduced because you can’t steal what’s not there. This makes tokenization superior to encryption from a security standpoint … Tokenization of PII is the recommended strategy as it’s cheaper, faster, and more secure than other alternatives.” Protegrity is today securing sensitive data for 25 percent of the 20 largest U.S. retailers and more than 200 other government, financial services, healthcare, insurance, travel & transportation, and manufacturing organizations. To find out more about how your organization can take PII protection to the next level, contact Protegrity at
info@protegrity.com or call 203.326.7200.
For more information Telephone: 203.326.7200 Email: info@protegrity.com www.protegrity.com
About Protegrity
Headquartered in Stamford, CT, Protegrity provides high performance, infinitely scalable, end-to-end data security solutions that protect sensitive information across the enterprise from the point of acquisition to deletion. The company’s award winning software products span a variety of data protection methods, including end-to-end encryption, tokenization, masking and monitoring and are backed by several important data protection technology patents. Currently, more than 200 enterprise customers worldwide rely on Protegrity’s comprehensive data security solutions to enable compliance for PCI DSS, HIPAA and other data security requirements while protecting their sensitive data, brand, and business reputation.
