In The Future, Everyone Will be Audited for 20 Years (CardSystems Analysis)
In the largest known compromise of financial data to date, CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems’ failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law. According to the FTC, the security breach resulted in millions of dollars in fraudulent purchases. The settlement will require CardSystems and Pay By Touch to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years.
Thanks to Ryan Singel for the link to “CardSystems Solutions Settles FTC Charges.” The clown picture is by Fabiana Valgôde. There’s some security analysis after the jump.
I want to start with the specific claims that the FTC sets forth about what was and wasn’t done:
- created unnecessary risks to the information by storing it;
- did not adequately assess the vulnerability of its computer network to commonly known or reasonably foreseeable attacks, including “Structured Query Language” injection attacks;
- did not implement simple, low-cost, and readily available defenses to such attacks;
- did not use strong passwords to prevent a hacker from gaining control over computers on its computer network and access to personal information stored on the network;
- did not use readily available security measures to limit access between computers on its network and between its computers and the Internet; and
- failed to employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations.
It’s an interesting list, for what’s there, and what’s not there. The first is a theme that we return to over and over here: Don’t store data you don’t need. The next five are all about standard, easily purchased types of security products. There’s less direct mention of secure coding, good design, or risk management, which are not easily purchased as products.
More interesting is that the FTC’s imposed remedies seem to be resolving into a sort of menu of options, which the commissioners pick and choose from.
That resolution allows us to estimate costs. It will be interesting to see how those costs play out. Are they high enough to justify the purchase of technology, or low enough that executives will choose to take the risk?