The last few weeks have been very busy for hackers. On April 8, 2012, a group claiming affiliation with Anonymous says it hacked emails of the Tunisian prime minister. On March 30, 2012, hackers compromised about 25,000 social security numbers at the Utah Department of Health.
The biggest headlines were from the Global Payments data breach where information about 1.5 million credit cards were stolen. The hackers got card numbers and Track 2 data, but not names, addresses or social security numbers. Fortunately the Card Verification Value (CVV2) or Card Verification Code (CVC2) is not encoded in the magnetic strip where the Track 2 data is stored. This card security code (CSC) is the three- or four-digit value printed on the card or signature strip. When you conduct an online or phone transaction with your credit card that’s the code the merchants ask for. That makes sure you have the physical card.
With breaches like this one a lot of us worry about identity theft and thieves using our credit cards to ring up thousands of dollars of charges. It also makes you wonder about the security these companies use to store our information.
In the past few months I had 3 erroneous charges against different credit cards. The most recent one was a bit of a surprise, but not because it happened, but because of how I found out.
I get a lot of calls from 800 services that I assume are solicitations, but I answered this one. It was from WalMart and they said they noticed a charge on my Discover card purchased through my walmart.com account; I had forgotten I even had a walmart.com account. The woman on the phone said they noticed a large purchase and was checking with us because it was unusual. The last purchase I made on walmart.com was in 2010 and the amounts were always under $100. She gave me the transaction number, purchase amount and date. I checked with my family and no one made any such purchase.
I immediately called Discover to notify them of the unauthorized charges. I mentioned this was the second time in as many months that there were unauthorized charges on the card and the woman on the phone suggested we cancel the card. I agreed. She closed the account, issued new cards and removed the unauthorized charges.
My family is very careful about our credit cards and we only use legitimate online merchants. Unfortunately, credit card fraud and identity theft are huge businesses and all of us are at potential risk. When I hear about another breach at a credit card processing company, I wonder how safe I am.
I have written about this in the past, but I still don’t understand why businesses entrusted with personal and financial information don’t encrypt this data inside their databases. Every modern database has this feature. It’s not hard to implement, but many don’t do it. If a business has to export the information out of the database for legitimate reasons, they need to encrypt it and restrict access. Applying a persistent security policy to documents with sensitive information can provide this protection.
The continued hacks of emails and documents, like in the case of the Utah Department of Health, illustrate that organizations must take stronger measures to protect sensitive information. There is continuing call for the US government to consolidate the numerous state data breach laws and regulations into a federal data breach law. This may help eliminate some of the conflicting rules out there, but also understand that this is a national (actually international) problem. The EU has strict data privacy laws and are looking to strengthen them.
Everyone must take these issues seriously. Look at your own information and make sure you are encrypting anything that is confidential and sensitive.
Photo credit muffet