Largest PCI breach ever (so far)
January 22, 2009
This may not be news to all, as conveniently this was dropped on inauguration day when pretty much all news (online, MSM, others) were following that, but it seems we may have a new title holder for possibly the largest breach of payment data thus far.
http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html
The fact that there’s been another breach isn’t all that surprising – we know that security is difficult, the current PCI standard (as much as it’s needed and does at least something) is ineffective at preventing these, and there will always be attack when such data is at stake. The interesting thing here is that malicious code was living inside the payment processors network for three months by some accounts.
That might sound like a long time, but it’s not really – here’s a graph that I produced for a client (all identifying features removed of course, so no "times/dates", but trust me when I say each tick is a good number of days) showing the propagation of malicious code until they spotted the incident and we helped clear it up (and this graph really shows that one attack/code can easily bring in others).
The larger issues is what data was able to get out, and how. Many companies forget to do egress filtering and monitoring so not only can this question never be answered, but sometimes they only know they are being attacked when something horrendous happens.
Lessons learnt here I think is that no system is completely impervious to attack – just because you have been reviewed (either PCI or from an external firm) it’s irresponsible to let your guard down on anything. Egress filtering/logging/monitoring is a must – there’s no data breach if it can’t get out of the network. Finally, data classification/segregation is really useful as this breach could have been a lot worse (and it still might be – we’re only going on what data the processor said was likely accessed).
Posted in 
