London: Commenting on the loss of 1.5 million cardholder credentials by an Atlanta, Georgia-based transaction processor, Venafi says that it comes as no surprise that cybercriminals have targeted the firm, as each set of cardholder credentials are worth between $1.00 and $6.00, depending on the card issuer and the cardholder’s location plus account classification.
According to Jeff Hudson, chief executive of the enterprise key and certificate management (EKCM) solutions specialist, this values the cardholder credentials taken during this cyberheist at around the 5 million dollar mark.
“Despite the size of the batch of credentials harvested by the hackers – who can then sell them to fellow criminals – the key question is why did Global Payments wait so long before admitting something was wrong, and only revealed the scale of the data losses after a US security researcher made a posting on his blog last Friday,” he said.
“On top of this, the security requirements mandated by the PCI DSS 2.0 guidelines appear to have been broken by the company. These mandate a number of minimum procedural and technology specifications that are designed to expressly prevent this kind of data breach and its consequences,” he said.
The Venafi CEO went on to say that, while the results of a full investigation into what went wrong at Global Payments and its Internet hosting company may take some time to be revealed, the most worrying aspect of the breach is why the firm took so long to reveal the event - and its scale.
None of the answers to this question, he says, are particularly positive – either there was a lapse of security and procedures, preventing the correct process on notification to take place, or the company opted not to reveal what had happened until security researcher Brian Krebs blew the whistle last Friday.
Data breaches, he adds, are nothing new in the IT industry, but how an organisation handles the aftermath of the breach, and then remediates the fallout, can often make a bad situation worse, especially where cardholders – who are customers of the merchants that are ultimately clients of Global Payments – may interpret the situation in a negative manner.
The bottom line here, Hudson explained, is that cybercriminals appear to have had several weeks to sell the stolen credit card credentials - and there are already anecdotal reports on Facebook and other sites of people whose accounts have been plundered, although tying these accounts specifically to merchants whose accounts are processed via Global is going to be tricky.
Our observations, he says, are that hackers have been targeting - and breaching – a number of high-value technology targets such RSA, Comodo, DigiNotar and VeriSign for some time.
These targets, he adds, are all trusted third-party providers of certificates, services, or secure tokens-technologies that are extensively used to authenticate and create trusted relationships on the Internet and within organisations worldwide.
“The inescapable conclusion is that these providers will continue to be compromised. The breaches cannot be stopped. What matters now, however, is that the industry learns from its experiences and both recognises that breaches will occur and takes extra security steps to help prevent it happening again,” he said.
“Part of those steps will be to increase the range and effectiveness of the security to prevent a breach, as well as developing better procedures – especially in communications terms – to ensure that end user clients are kept informed of what has happened and that they do not lose confidence in the company and processes concerned,” he added.