Recent announcements are shining a more focused light on what companies are and are not doing to protect personally identifiable information (PII). Sadly, the degree of diligence applied is not as high as may be required.
After a dog day lull leading into Labor Day, it seems the announcement of data compromises exploded in the first week of September. The Home Depot data breach announced, immediately after the holiday, the hack of Apple’s iCloud exposing indecent photographs (reportedly, anyway…I didn’t look), and yesterday’s announcement of 5M Google credentials dumped online by a Russian source have splashed the headlines. It makes one wonder if it was the hackers or the reporters who took the last two weeks of August off. (Wait, be fair – anyone who follows Privacy Rights Clearinghouse will rightly note that a significant attack impacting J.P.Morgan Chase and other financial institutions hit the air Thursday before the holiday…look for a future post discussing it.)
We've been monitoring the Home Depot breach, as you know from last week's post. I notice a curious theme when looking at what has been documented for the Google and Home Depot credentials exposures, in particular. While details are still emerging at this point, Google and others are making the case that the Google credentials were actually obtained from other third party sources. In other words, it wasn’t that Google was breached, but that the user credentials came from breaches of other companies. So far, the only attributes that have been documented in the press as published by the hacker(s) is Gmail address (which doubles for Google account names) and password. One would have to believe that additional elements, such as user name and other PII could have been skimmed as well. With the common practice many companies employ of using email address as the primary ID for access to their online systems and many users’ habit of reusing passwords, this seems to be a genuine risk, of potential identify theft or even direct financial loss, to the owners of any of the email addresses compromised.
[BTW – does anyone else notice that 5M is an oddly large and round number? It seems odd the hackers would reach that number and stop, at least to me, and makes me wonder just how many more credentials they may have, if there may be stolen credentials more current than the “three years old” profile Google and others are placing on the leaked set, and why those more current credentials haven’t been exposed, too? As a cynical old marketing guy, this smells like a splashy promotional event – giving away some of the lesser goods for free – that an organized group might use to increase the interest and value of the stolen credentials of more current vintage.]
Even more concerning is a spike in PIN debit card fraud relating to the Home Depot compromise being reported by Brian Krebs and others. While Home Depot assures the public no personal identification number (PIN) data was compromised (as one would hope from a PCI DSS-compliant retail chain), Krebs reports that multiple financial institutions report an increase in fraudulent ATM cash withdrawals since the breach began. It appears that the bad guys are purchasing the breached card details from online black markets and creating physical counterfeit cards. They then use the information about the store from which the stolen details came and the cardholder’s full name, both included with the black market purchase, to change the PIN for the card. This is done via the voice response units (VRU) the financial institutions provide for the convenience of their customers. The criminals do this by correctly answering some small number of PII-related questions, such as cardholder’s date of birth or the last four digits of their Social Security number. Sadly, these latter details are also for sale via online black markets.
What this leads to is the unavoidable conclusion that PII, unregulated for the retail market, is not being protected with the same degree of care applied to PCI-regulated payment card data. This sets the stage for the unfortunate situation seen with the Home Depot breach and the conclusion that PII is not being sufficiently protected.
So, how should companies protect PII? For the benefit of their customers and for the integrity of the greater electronic payments and data exchange networks, they should protect PII with the same degree of care that they protect regulated sensitive data, applying PCI key management solutions, data encryption, tokenization, and cryptographic data integrity checks.
Interesting in more on this topic? Receive a copy of Walt Conway's insightful paper "Use PCI to Protect All Sensitive Data" by clicking on the image below.