Monday, 30 July 2007

Incident Disclosure is really a No Win Situation

Recently a UK City Council announced a data breach involving tens of thousands of credit cards, I’m not going to name them as I don’t really want to be associated in defending them.

The facts of the security incident and how it was discovered is very different from the press headlines, which basically laid into the Council for having bad security and not being security responsible by putting thousand of it’s users at high risk of credit card fraud by putting these deatils unsecurely online. However after reading through press releases and a bit deeper into some of the news reports, it painted a slightly more responsible picture.

The Council had hired an external Security Expert – no, not me ;) to check and test the security of their systems, this expert found that a data file had accidentally been uploaded to a public website in error by a member of staff. The file held credit card transaction details for thousands of council tax payments and parking fines, however the credit card data was encrypted and the file didn’t include pin numbers and CV2 numbers, so it would be pretty difficult to use it for credit fraud. I understand the names and address were in clear text but I haven’t able to confirm this as yet. It appears the file was downloaded on one occasion from the public web site.

Well I think the Council’s “heart” must have been in the right place to hire an external security expert in the first place, the fact that the credit card data was encrypted and they didn’t have pin/CV2 numbers within the file bodes well, and after all they publicly disclosed the incident within a week of finding out, they said they would of disclosed it earlier but it would of compromised the incident investigation, sure that could be just PR spin, but we’ll give them the benefit of the doubt. As I’m sure a lot of other organisations might have just swept this type of incident under the carpet. I just think the very negative press attack and blatant avoidance of the actual facts within news reports in order to sensitise the story and panic the populous, isn’t exactly going encourage other organisations to voluntary disclosure similar incidents in future. Which is what I would like see, as I would like to bring into the open the scale of general bad security going on within business, punishing organisations that are appearing to be trying their best I don’t think is going to help matters, if anything it could even put off companies from hiring in security experts to test their system security!

Again what was the cause of this incident? You guessed it was a human (on the inside) making a mistake (humans tend to do that). So another example to be chalked up within my security awareness training presentations.

Before anyone comments on my defensive approach to data breach, please don’t as you will be missing my point, I totally agree any data breach is a serious and generally bad thing, especially when it involves public data/credit card data, and its totally right these incidents are aired within the public arena.


Rob said...

I'm wondering what the motivation was for the council to go public with this:

"We very much regret that this situation has developed, although we would stress that there has been no indication of any fraud or loss, and that we spotted this situation through the thoroughness of our own security and checking systems," said Xxxxxxxxx council chief executive Ian Stratford.

UK companies are not obliged to reveal such security breaches."

(The x's are mine to preserve your integrity.)

Do they perhaps think they will get publicity like TJX and ChoicePoint? What do they think this will achieve?

Cos I'm buggered if I'm going on holiday to Newcastle.

(Oops, sorry.)

The Trusted Toolkit said...


Interesting insight that makes sense.

I have not had the time to read the details regarding this breach, so I base my response on what you write only.

#1 - "credit card data was encrypted and the file didn’t include pin numbers and CV2 numbers". If the only data that was "reasonably" exposed was names and addresses, then this ALMOST qualifies as a non-incident in my opinion. You can get names and addresses from phone books or other means. If I were a bad guy, I wouldn't even waste my time.

#2 - "So another example to be chalked up within my security awareness training presentations" I am not personally aware of your security training and awareness presentations, but I can state with some certainty that you CANNOT overestimate the importance or adequate security training and awareness. Computers are not vulnerable, people are. Whether a developer, user, adminstrator, Mom, Dad, etc. A computer only does what a developer wrote and what a user tells it to do.

Good work!

Dave Whitelegg CISSP said...

Great comments, it did cross my mind that this story might of been a security publicity stunt which went wrong, but the cynical side of me (that's 95%) suspects either a potential whistler blower or a third party security consultancy advising disclosure for their own publicity sakes. But then again Councils are very “Politically Correct” these days, so perhaps a PC culture was responsible to pushing into the public domain.

On the User Security Awareness, I totally agree with the comments, for me it's the biggest battlefield of all to win. That reminds me I should get around to doing another Podcast for the average Joe home user.