Undercover
Diary of a Data Breach Investigation
An information security manager shares the diary he kept while investigating a possible data breach
By Anonymous
It seems that some of the privacy laws require notification within a certain period of time after the discovery of the incident. I told them I simply don't have the computing power to give them what they need any quicker. I was authorized to purchase several machines to aid in the data-mining effort.
Friday
My lab machines have arrived and I have been provided with a private workspace in which to work. I spent almost the entire day splitting up the data, and I am preparing to run my data-mining program over the weekend.
I have guessed that each machine will need about 16 hours of processing in order to complete. I will have to monitor the results over the weekend to make sure that everything completes on time. Other than getting the machines to work, I have been in many meetings with the legal department where the terms "data breach" and "customer notification" have been thrown around.
I immediately started to think about all of the recent news regarding companies and data breaches. I know I didn't want my company to be added to that list.
Monday
I met with the legal department this morning to give them a progress update. There were roughly 10 million entries in the data that contained customers and their credit card information, with six million being unique.
I have created a breakdown of all of the data based on state and country, and it seems that we may have to look at privacy laws in almost a dozen countries.
The product team got back to me and there were over ten changes to the third-party code since it was first put in place.
Unfortunately, they didn't get around to doing a code review on any version after the original.
The only real piece of good news that they gave me was that all connections to our vendor were done over SSL. At least this data did not go over the Internet in plain text. I will give this one piece of good news to the legal department at our meeting later today.
Three Weeks Later
Even though my work has been done for several weeks, the legal department continued to deliberate on whether or not to report this as a data breach to the customers that were affected.
As it turns out, the vendor who received the data had relatively good procedures in place and not many people had access to our data.
We were able to account for everyone who may have accessed the data -- and because the legal department feels that the data never left our control, they decided that this did not constitute a data breach. An outside forensics firm confirmed the data never left a controlled environment.
data breach
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Log Management in a Cyber World
- Implementing Best Practices for Web 2.0 Security
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
