Diary of a Data Breach Investigation
An information security manager shares the diary he kept while investigating a possible data breach
April 01, 2009 — CSO —
When the CISO asks to speak to you with that look on his face, you know the news isn't good. We were contacted by one of our third-party vendors, whom we had hired to do analysis on our website traffic.
It appears that we have been passing sensitive information to them over the Internet. This sensitive information included data, such as customer names, addresses and credit card information. Because we are a public company, there are many regulatory guidelines that we have to follow like Sarbanes-Oxley (SOX) and the Payment Card Industry's (PCI) data security standard.
Fortunately for us, our vendor has retained a copy of everything that we have sent to them.
Unfortunately for us, it was six months of information totaling over a terabyte.
Since our website is international, the legal department needed to obtain outside council to assist us in this matter. It will be a few days until I receive the data from the vendor.
We have received the data from our vendor and my preliminary analysis is not good. It appears that we were sending the vendor every form field of every page on our website.
After speaking with the product team, it appears that the generator of the data is a piece of third-party code, which was supplied to us by the vendor to whom we were sending the data.
The first question that I asked was if this code was reviewed, which I was promptly told, "Yes!"
The code was reviewed before its initial installation almost a year ago. Even though the code had been in our staging and production environments for almost a year, we have only been sending the vendor sensitive information for the last six months.
I asked if the code had changed at all in that time, and I was told "most likely." The product team was going to talk to development to get me a list of all changes to the code.
The data is massive and there are over a billion records that need to be investigated. I am working on writing a small data-mining program to piece it all together.
Legal wants me to give them a list of every single person that is affected along with their location. In the meantime, they are investigating the privacy laws of every single state in the U.S. as well as several other countries that they suspect may be contained within the data.
After telling legal that it would take me six weeks to gather the information they required, I was told that I needed to move faster.