http://www.wired.com/2014/12/top-ten-card-breaches/
By Kim Zetter
Threat Level
Wired.com
12.02.14
The holiday buying season is upon us once again. Another event that has
arrived along with the buying season is the season of big box retailer
data breaches.
A year ago, the Target breach made national headlines, followed shortly
thereafter by a breach at Home Depot. Both breaches got a lot of
attention, primarily because the number of bank cards affected was so
high—more than 70 million debit and credit card numbers exposed in the
case of Target and 56 million exposed at Home Depot.
Luckily, very little fraudulent activity occurred on the stolen card
numbers, primarily because the breaches were caught fairly soon, making
them relatively minor incidents in the scheme of things, compared with
other breaches that have occurred over the years that resulted in losses
of millions of dollars. The Target breach was notable for one other
reason, however: when it came to security, the company did many things
right, such as encrypting its card data and installing a
multi-million-dollar state-of-the-art monitoring system not long before
the breach occurred. But although the system worked exactly as designed,
detecting and alerting workers when it appeared that sensitive data was
being exfiltrated from its network, workers failed to act on these alerts
to prevent data from being stolen.
Below, we look back on a decade of notable breaches, many of which
happened despite the establishment of Payment Card Industry security
standards that are supposed to protect cardholder data and lessen the
chance that it will be stolen or be useful to criminals even when it’s
nabbed.
The PCI security standard (.pdf) which went into effect in 2005, is a list
of requirements — such as installing a firewall and anti-virus software,
changing vendor default passwords, encrypting data in transit (but only if
it crosses a public network) — that companies processing credit or debit
card payments are required by card companies to have in place. Companies
are required to obtain regular third-party security audits from an
approved assessor to certify ongoing compliance. But nearly every company
that was victim to a card breach was certified as compliant to the PCI
security standard at the time of the breach, only to be found noncompliant
in a post-breach assessment.
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
