CardSystems NOT Just Another Data Breach
17 Aug, 2005

Coming on the heels of similar announcements from Bank of America, CitiBank, and Time-Warner, the disclosure that CardSystems' database of credit card data had been breached seemed like just another in a string of similar announcements. On June 17, CardSystems admitted that confidential information of millions of American Express, Visa, and MasterCard customers had been illegally extracted from its data center in Arizona. The CardSystems loss, however, was fundamentally different in nature from previous announcements and portends a new and dangerous phase in the evolution of cybercrime.

Unlike other disclosures mandated by CA SB 1386, the CardSystems breach was not the result of a lost laptop computer or a misplaced backup tape. CardSystems was victimized by a virus-like script that had infected the CardSystems network almost 8 months earlier and sat nearly dormant until May of this year. I say "nearly" because the script activated a data collection process every 4 days between September of last year and May 22, 2005. At no time during its active phase was this script detected by CardSystems. On May 22 when the script activated, it also successfully exported the data it had collected to a server controlled by the perpetrator. If this strategy sounds familiar, it's because it's exactly the same approach terrorist organizations use when they insert "sleeper" agents into a target region for months or years until ordered to mount an attack.

The CardSystems breach has had a material impact on its business because both Visa and American Express have decided to terminate their relationship with the company. CEO John Perry admitted before a Congressional [PDF: 63KB] hearing last month that CardSystems may be forced to close its doors in the wake of this incident. Make no mistake, the CardSystems breach will be remembered as the day that worms, viruses, and other malware stopped being a simple productivity issue and became a fundamental threat to business viability.

The CardSystems incident has also proved unequivocally that protecting the devices on which confidential information is stored is only the first step in a comprehensive data protection strategy. The data itself must also be protected to prevent similar breaches and data loss from occurring. All reports indicate that CardSystems had implemented industry best practices in terms of its firewall and anti-virus deployments…it still wasn't enough. The company’s only mistake was storing cardholder data in readable form (in violation of both Visa and MasterCard security standards). Given the events of the last 2 months, it's little wonder that recent surveys of enterprise IT managers indicate that 75% are planning to deploy current-generation encryption solutions to prevent similar attacks succeeding in the future.

Perhaps the most alarming outcome of the CardSystems breach is that the perpetrators have proven that such attacks are possible and can yield immense amounts of valuable data when they succeed. The hackers and cyber-criminals will have taken as much note of this event as Congress and law enforcement agencies. Although CardSystems is the first victim of this type of attack, it is unlikely to be the last.

- Phil