Forgot your password?
typodupeerror
Government Security Your Rights Online

Data Breach Could Test Massachusetts Law 73

Posted by CmdrTaco
from the keeping-the-secrets dept.
Gunkerty Jeb writes "The Massachusetts Attorney General has been notified that financial data on 1,800 residents was exposed in a database breach linked to the CitySights NY sightseeing firm. Could this be the test case for enforcement of the State's nine month-old data privacy law? The leak of financial information on more than 100,000 customers of the CitySights sightseeing tour company could prove to be an early test of the nation's strongest data privacy law."
This discussion has been archived. No new comments can be posted.

Data Breach Could Test Massachusetts Law

Comments Filter:
  • This one has me torn... On one hand I would like to see companies held accountable for the damage that a breach can cause to an end consumer... the other side of me knows that you can only deter so much, if someone really wants in, they will gain access one way or another...
    • They are not necessarily in trouble for being breached. It appears the breach highlighted the fact that they were not compliant with the law. The customer records should have been encrypted and the extent of data retained seems excessive.

      Though, we don't know whether they are in violation of the law.

      • yet. As the investigators are refusing comment.

      • by cappp (1822388)
        TFA claims all files need to be encrypted but the law doesn't. I pasted the text a couple of replies down..there's nothing in there about encrypting records if they're not on portable media, being broadcast wirelessly, or travelling across public networks.
        • by Ritchie70 (860516)

          Yes, this has been a major point at work - we're a retailer with locations in Mass, and many of our in-store systems date from the 1980's, so there's no encryption. The law says encryption is required when the data is in transit, including being on portable devices, not when it's sitting in a database.

        • Even if the law did I would hope it would specify the levels/types of encryption acceptable if only to avoid "Yes your honor, we were completely compliant with the law. All of our customer data was encrypted in ROT26 format".
      • by icebike (68054)

        Why should a sightseeing company have anything more than a credit card on file?

        • Why should a sightseeing company have anything more than a credit card on file?

          Maybe they should make a law against that!

        • by hey! (33014)

          Because they *can*. As far back as the landmark 1972 HEW report on Computers Records and the Rights of Citizens, the dangerous tendency to automatically file everything in computerized record keeping systems was obvious. The marginal cost of storing a record was lower than it had ever been before. Why not file everything you can get your hands on? You might find a use for it later. Well, it turns out there's all kinds of really bad things that can happen, especially if that information gives access to so

          • by icebike (68054)

            Of course that gave those same operators the ability to pull up any customer's credit card information just by typing their name. A

            What happened since then is that standards of financial responsibility have fallen dramatically in the rush to make a quick buck in ecommerce.

            Actually the opposite has happened.

            Storing credit card numbers in your database has so many Visa/Mastercard requirements and restrictions these days that many companies simply choose not to do it at all, and ask for a cc each time you need to purchase.

            Unless your software encrypts the data, forget it. Some small businesses lie and do it anyway, but its very foolish and dangerous.

    • I'm not. (Score:3, Insightful)

      by Anonymous Coward

      . the other side of me knows that you can only deter so much, if someone really wants in, they will gain access one way or another...

      Tough shit. If a company is going to store that information, then they need to protect it. There's absolutely no reason what so ever for a sightseeing company to store credit card information. None. Customer comes back next year, well get the card number again - the card could be expired anyway.

      And companies who keep it on file for things like automatic renewals at magazines - fucking Scientific American does this whether you like it or not when you subscribe online - then they must protect that data. Someo

  • by PatPending (953482) on Tuesday December 21, 2010 @07:28PM (#34635714)

    Related story: Sightseeing Firm Overlooks Security, 110k Credit Card Numbers Stolen [threatpost.com] (emphasis added)

    The database contained a variety of customer financial data, including the customer's name, address, e-mail address, credit card number, as well as the expiration date and card verification value (CVV2) data. If true, that would mean that Twin America was in violation of Payment Card Industry (PCI) regulations on data retention, which prohibit retailers from permanently storing the CVV2 data along with other card data, because it makes it far easier to generate fraudulent transactions when combined with the card data.

    Twin America said it has filed a complaint with the FBI's Internet Crime Complaint Center and hired Kroll, Inc. to investigate the incident. It has also notified individuals affected by the breach and patch discovered vulnerabilities on its Web server, deployed an application layer firewall, limited access to its Web based administrative panel and changed and hardened administrative passwords throughout its organization.

    • by Anonymous Coward

      If true, that would mean that Twin America was in violation of Payment Card Industry (PCI) regulations on data retention

      PCI compliance is not law. Industry standards are not enforceable.

      • by PatPending (953482) on Tuesday December 21, 2010 @07:52PM (#34635912)

        Not law but:

        Penalties for Non-compliance

        25. Are there fines associated with non-compliance of the PCI Data Security Standards?

        Yes. Visa, MasterCard, and Discover Network may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. You are contractually obligated to indemnify and reimburse us, as your acquirer, for such fines. Please note such fines could be significant.

        26. Are there fines if cardholder data is compromised?

        Yes. If cardholder data that you are responsible for is compromised, you may be subject to the following liabilities and fines associated with non-compliance:

        • Potential fines of up to $500,000 (in the discretion of Visa, MasterCard, Discover Network or other card companies).
        • All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.
        • Cost of re-issuing cards associated with the compromise.
        • Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).

        Source: https://www.wellsfargo.com/biz/help/merchant/faqs/pci#Q25 [wellsfargo.com]

        • by icebike (68054)

          Ok, So that was the Attorney General of Visa that the story mentions?

        • All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.

          I wonder what "losses" covers exactly. Retailers are generally the only ones that lose out in credit card fraud and I doubt this money is going to them.

          • It's my understanding that once a merchant receives an authorization number for a given transaction, the issuing credit card company is out the money, not the merchant, in this case (i.e., stolen information).
            • Nope, I've worked for several online retailers. The credit card issues a chargeback stating the transaction was fraudulent. Retailers are on the hook to verify their transactions are legal.

              Credit Card Companies have a very sweet deal.
              • An authorization number is just that -- the issuer of the credit card has hereby authorized the transaction.

                If the issuer knew the credit card was invalid (for whatever reason(s)), it would never have issued the authorization number in the first place.

                Furthermore, an authorization number is not retroactive.

                So we must agree to disagree.

                • by Kakari (1818872)
                  Oh how I wish your view prevailed, but the fact is that while the card was valid at the time the purchase was fraudulent and the purchaser effectively stole from the merchant. The payment processor (who bundles transactions up to Visa/MC/Amex/etc. networks) will pull the payment from the merchant's account without notice (see http://www.natwest.com/global/legal/business/worldpay.ashx [natwest.com] under section 8. Chargebacks and specifically 8.5)

                  8. CHARGEBACKS 1. 8.1 In certain circumstances, Card Issuers, Card Schemes and/or Other Financial Institutions refuse to Settle a Transaction or require repayment from Us in respect of a Transaction previously Settled and/or Remitted, notwithstanding that Authorisation may have been obtained from the Card Issuer and/or Other Financial Institution (such circumstances being a " Chargeback").

                  and

                  # 8.5 Where a Chargeback occurs, We shall immediately be entitled to debit Your Merchant Bank Account and/or make a deduction from any Remittance in accordance with clause 7.3.1 and/or invoice You in accordance with clause 7.3.2 to recover: 1. 8.5.1 the full amount of the relevant Chargeback; and 2. 8.5.2 any other costs, expenses, liabilities or Fines which We may incur as a result of or in connection with such Chargeback (" Chargeback Costs"). # 8.6 A Chargeback represents an immediate liability from You to Us and where the full amount of any Chargeback and/or any Chargeback Costs is not debited by Us from Your Merchant Bank Account or deducted from any Remittance or invoiced as referred to in clause 8.5, then We shall be entitled to otherwise recover from You by any means the full amount of such Chargeback and Chargeback Costs (or the balance thereof, as the case may be). # 8.7 We shall not be obliged to investigate the validity of any Chargeback by any Card Issuer, Card Scheme or Other Financial Institution, whose decision shall be final and binding in respect of any Chargeback.

                  It sucks and merchants get the shaft and as locallyunscene said, "Credi

    • Re: (Score:1, Interesting)

      if amazon.com doesn't store card data, then how am i allowed to make purchases using existing saved card data?
      • by PatPending (953482) on Tuesday December 21, 2010 @07:55PM (#34635932)
        The credit card merchant services provides a hash value that is subsequently used. You may store the expiration date and last four digits.
        • Re: (Score:2, Insightful)

          so the credit card merchant services provider is then storing the full card information? someone MUST be. if the hash is interchangeable with the card number, then the hash IS the card number for all intents and purposes.
          • so the credit card merchant services provider is then storing the full card information? someone MUST be. if the hash is interchangeable with the card number, then the hash IS the card number for all intents and purposes.

            It's not interchangeable. It is limited to this vendor.

          • Didn't you hear? All security problems can be solved with hash functions.
      • if amazon.com doesn't store card data, then how am i allowed to make purchases using existing saved card data?

        They store data that is useless to others. They don't need to store the card's data, only data about their first transaction with you.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        You can store card data, but not the CVV2 info. There are requirements about how that data is stored, but CVV2 cannot be stored. Ever. Even encrypted. That's the point. And you don't have to have the CVV2 to process transactions, it just helps prove it isn't a fraudulent transaction. This is to help make the physical card (or whoever holds it) the only source of this information. That's the theory anyway. It rarely works that way in practice, of course.

  • by cappp (1822388) on Tuesday December 21, 2010 @07:29PM (#34635730)
    I'm not so sure it's a test of the law at all. At least there's no way to know without more details about how the breach occured. The law can be found here [mass.gov] (pdf). TFA states the breach occured because of an SQL injection - but nothing beyond that.

    In the interests of stimulating a little chatter, the law calls for

    (1) Secure user authentication protocols including:
    (a) control of user IDs and other identifiers;
    (b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
    (c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (d) restricting access to active users and active user accounts only; and
    (e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
    (2) Secure access control measures that:

    (a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
    (b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

    (3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

    (4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

    (5) Encryption of all personal information stored on laptops or other portable devices;

    (6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

    (7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

    (8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

    • by JSG (82708)

      So, 4,6,7 and 8 would seem to apply. That should give the lawyers plenty to play with.

      • by cappp (1822388)
        Note the use of the qualifier "reasonable"...the get out clause in every law ever written.
      • by mssymrvn (15684)

        The other big can of worms is the application of MA commonwealth law to a business *in another state*. MA likes to write laws like this all the time. But the reality is that MA has no jurisdiction outside of its borders. Or shouldn't - though we'll see how stupid the courts are on this one if it comes to trial.

    • Re: (Score:2, Interesting)

      by Anonymous Coward
      I work for a MA company that deals with personal data for several fortune 100 companies. (posting AC for obvious reasons)
      The Law is a joke. The rules are so vague that no matter what precautions are taken you could be found in violation. Who defines "reasonable?" What is adequate "encryption?"

      This law is just another example of rushed "Think of the children" (for children read anyone) laws that get passed these days.
  • by JSG (82708) on Tuesday December 21, 2010 @07:36PM (#34635794) Homepage

    The linked article mentions only that the law requires that data be held encrypted. That is not much use in this case where a SQL attack was used.

    Does anyone know whether the law requires a certain standard for the front ends to the data. I'm pretty sure that PCI DSS - as another applicable standard - defines no such thing either.

    • by VTI9600 (1143169)

      Protecting against SQL injection attacks is much easier than making sure that all storage devices and network connections are encrypted. To use the Hitchhikers' Guide to the Galaxy analogy, encryption is like a towel. If your data is encrypted then people (sometimes rightfully) assume you've already got everything else you need to protect your customer's data from the crackers of the universe. These guys, however, clearly had none of the above.

  • by Evets (629327) * on Tuesday December 21, 2010 @07:39PM (#34635824) Homepage Journal

    What is the penalty for violating the law?

    • by Evets (629327) *

      To answer my own question

      It contains no specific penalties for non-compliance with the law, but could open the door to lawsuits or legal actions by the state’s attorney general.
      Source [networkworld.com]

      I don't think you can call a law "tough" when there are no penalties.

    • by inerlogic (695302)
      a lifetime senate seat....

      oh wait, that's just for murders...
  • How is a business supposed to comply with something like this? Are you supposed to follow the laws published in every corner of the country? [quote]Among other things, 201 CMR 17.00 requires organizations that store personal information on Massachusetts' residents to encrypt personal information at rest - in databases, servers, laptops, desktops, mobile devices. Data transmitted over wired or wireless networks also must be encrypted[/quote] I'm not exactly sure what qualifies as "personal information" but I

I am the wandering glitch -- catch me if you can.

Working...