Diary of a Data Breach Investigation
An information security manager shares the diary he kept while investigating a possible data breach
By Anonymous
April 01, 2009 — CSO —
Monday
When the CISO asks to speak to you with that look on his face, you know the news isn't good. We were contacted by one of our third-party vendors, whom we had hired to do analysis on our website traffic.
It appears that we have been passing sensitive information to them over the Internet. This sensitive information included data, such as customer names, addresses and credit card information. Because we are a public company, there are many regulatory guidelines that we have to follow like Sarbanes-Oxley (SOX) and the Payment Card Industry's (PCI) data security standard.
Fortunately for us, our vendor has retained a copy of everything that we have sent to them.
Unfortunately for us, it was six months of information totaling over a terabyte.
Since our website is international, the legal department needed to obtain outside council to assist us in this matter. It will be a few days until I receive the data from the vendor.
Thursday
We have received the data from our vendor and my preliminary analysis is not good. It appears that we were sending the vendor every form field of every page on our website.
After speaking with the product team, it appears that the generator of the data is a piece of third-party code, which was supplied to us by the vendor to whom we were sending the data.
The first question that I asked was if this code was reviewed, which I was promptly told, "Yes!"
The code was reviewed before its initial installation almost a year ago. Even though the code had been in our staging and production environments for almost a year, we have only been sending the vendor sensitive information for the last six months.
I asked if the code had changed at all in that time, and I was told "most likely." The product team was going to talk to development to get me a list of all changes to the code.
The data is massive and there are over a billion records that need to be investigated. I am working on writing a small data-mining program to piece it all together.
Legal wants me to give them a list of every single person that is affected along with their location. In the meantime, they are investigating the privacy laws of every single state in the U.S. as well as several other countries that they suspect may be contained within the data.
After telling legal that it would take me six weeks to gather the information they required, I was told that I needed to move faster.
Understanding malware techniques and the ever-more sophisticated cybercrime ecosystem
Advanced evasion techniques emerge
Organized cybercrime revealed
Inside the global hacker service economy
Anatomy of a DDoS extortion attack
The rise of anti-forensics
The botnet hunters
Timeline: a decade of malware
- Introduction to VMware vCenter Site Recovery Manager 5
- Introduction to Virtualization
- Preventing Unplanned Downtime with Server Virtualization
- Secure Cloud Infrastructure and Next-Generation Data Centers - An Interactive Panel for Decision Makers
- Gartner Next Generation Network IPS Webcast
- Understand Your Data: The Future of Backup and Archiving
- Planning For Failure: Incident Management Is A Top Priority
- CA Technology Brief: CA Point of View: Content Aware Identity & Access Management
- Data Loss Prevention Solution for Managing E-Discovery
- Enterprise Strategy Group: The Case for a New Data-centric DLP White Paper
- Business Centric DLP
- Data Loss by the Numbers
- M86 report proves water is wet
No disrespect toward M86 Security intended. I've used a lot of their research in the past and they are always a pleasure to work with. But the latest report they sent me represents a big problem I'm finding with these documents lately: They tell us nothing new. Therefore, they are not helpful.
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
- SECURITY WISDOM WATCH: Gee Whiz Edition
More Salted Hash with Bill Brenner
