Undercover
Diary of a Data Breach Investigation
An information security manager shares the diary he kept while investigating a possible data breach
By Anonymous
April 01, 2009 — CSO —
Monday
When the CISO asks to speak to you with that look on his face, you know the news isn't good. We were contacted by one of our third-party vendors, whom we had hired to do analysis on our website traffic.
It appears that we have been passing sensitive information to them over the Internet. This sensitive information included data, such as customer names, addresses and credit card information. Because we are a public company, there are many regulatory guidelines that we have to follow like Sarbanes-Oxley (SOX) and the Payment Card Industry's (PCI) data security standard.
Fortunately for us, our vendor has retained a copy of everything that we have sent to them.
Unfortunately for us, it was six months of information totaling over a terabyte.
Since our website is international, the legal department needed to obtain outside council to assist us in this matter. It will be a few days until I receive the data from the vendor.
Thursday
We have received the data from our vendor and my preliminary analysis is not good. It appears that we were sending the vendor every form field of every page on our website.
After speaking with the product team, it appears that the generator of the data is a piece of third-party code, which was supplied to us by the vendor to whom we were sending the data.
The first question that I asked was if this code was reviewed, which I was promptly told, "Yes!"
The code was reviewed before its initial installation almost a year ago. Even though the code had been in our staging and production environments for almost a year, we have only been sending the vendor sensitive information for the last six months.
I asked if the code had changed at all in that time, and I was told "most likely." The product team was going to talk to development to get me a list of all changes to the code.
The data is massive and there are over a billion records that need to be investigated. I am working on writing a small data-mining program to piece it all together.
Legal wants me to give them a list of every single person that is affected along with their location. In the meantime, they are investigating the privacy laws of every single state in the U.S. as well as several other countries that they suspect may be contained within the data.
After telling legal that it would take me six weeks to gather the information they required, I was told that I needed to move faster.
data breach
Log Management in a Cyber World
With so many potential cyber villains poking around the gates, enterprises must have strong protections and pristine visibility into what's happening on the network. Explore the increasing importance of log management as cybercrime and other malicious threats grow.
Comparing Research in Motion and Microsoft Mobile Solutions
Organizations must look carefully at the requirements of mobile devices and accompanying middleware that can increase cost, complexity and administrative overhead. This white paper provides an independent analysis and detailed comparison of RIM and Microsoft's mobile solution.
- PCI DSS Compliance in the UNIX/Linux Datacenter Environment
- The Pursuit of a Standardized Solution for Secure Enterprise RBAC
- Building a Secure and Compliant Windows Desktop
- Root Access Risk Control for the Enterprise
- Cyber Crime: A Clear and Present Danger
- Gene Kim's Practical Steps to Achieve and Maintain NERC Compliance
Stay current with insightful news and analysis on information security, business continuity, identity and access management, loss prevention and more with CSO newsletters!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
