Penetration cases show need for response plans

In my last column, I offered information security personnel cases of inadvertent data exposure to use in memoranda of justification for computer incident response plans. Here are some examples of deliberate penetrations that made the news in 2005.

In January, George Mason University reported that crackers stole personal information about 30,000 students, faculty and staff.

A credit-card company alerted the DSW Shoe Warehouse to unusual activity; investigation revealed a data theft over three months that netted the thieves 1.4 million credit card numbers and information about shopping habits for customers of over 100 stores.

In March and April, LexisNexis announced exposure of the personal data of first 32,000 and then 310,000 U.S. citizens in a series of 59 breaches in 2003 through 2005.

Polo Ralph Lauren’s customer database was hacked in April and the credit card information for at least 180,000 people was stolen.

Tufts University sent letters to 106,000 alumni alerting them to the possibility of a data security breach involving their data.

In May, a massive data theft was uncovered when police arrested nine people, including a collection agent who paid bank workers at Wachovia, Bank of America, and two other banks for financial records on about 700,000 customers.

In July, evidence surfaced that a credit-card broker called CardSystems Solutions of Tucson, Ariz., was keeping archival data about transactions in violation of its agreements with clients. Data about 40 million accounts were involved, of which 200,000 credit-card accounts may have been compromised. In June, plaintiffs launched a class-action lawsuit against CardSystems, Visa and MasterCard for failing to protect the data and for delaying notification of the victims.

In August, the U.S. Air Force personnel system was penetrated using a stolen user ID and password. More than 33,000 service personnel’s records were compromised.

Also in August, criminal hackers broke into University of Colorado systems for the third time in six weeks. They compromised personal data including Social Security numbers of 29,000 students, some alumni and 7,000 staff.

The University of Georgia revealed in September that criminal hackers compromised the Social Security numbers of 1,600 people through unauthorized access to a university database.

In December, Guidance Software of Pasadena, Calif., makers of the well-known EnCase digital forensic software, suffered a penetration by criminal hackers who compromised the financial and personal data of 3,800 customers, including law enforcement personnel and security professionals.

If your data were compromised by criminal hackers, how would you respond? Make sure your plans are in place – and tested – for:

* Locking down the affected systems at once.

* Notifying the appropriate law enforcement agencies (with whom you have already established good working relations).

* Capturing digital evidence safely to provide ironclad usability for forensic analysis and in court.

* Establishing a secure chain of custody for digital evidence.

* Identifying the vulnerabilities exploited by the attackers.

* Repairing the security holes to prevent new penetrations.

* Coordinating corporate response to ensure a professional, accurate and timely flow of information to stakeholders.