Data Breach Could Test Massachusetts Law

Gunkerty Jeb writes "The Massachusetts Attorney General has been notified that financial data on 1,800 residents was exposed in a database breach linked to the CitySights NY sightseeing firm. Could this be the test case for enforcement of the State's nine month-old data privacy law? The leak of financial information on more than 100,000 customers of the CitySights sightseeing tour company could prove to be an early test of the nation's strongest data privacy law."

Internal Termoil.

[tc3driver]

This one has me torn... On one hand I would like to see companies held accountable for the damage that a breach can cause to an end consumer... the other side of me knows that you can only deter so much, if someone really wants in, they will gain access one way or another...

Re:

[psithurism]

They are not necessarily in trouble for being breached. It appears the breach highlighted the fact that they were not compliant with the law. The customer records should have been encrypted and the extent of data retained seems excessive.

Though, we don't know whether they are in violation of the law.

yet.

[psithurism]

yet. As the investigators are refusing comment.

Re:

[cappp]

TFA claims all files need to be encrypted but the law doesn't. I pasted the text a couple of replies down..there's nothing in there about encrypting records if they're not on portable media, being broadcast wirelessly, or travelling across public networks.

Re:

[Ritchie70]

Yes, this has been a major point at work - we're a retailer with locations in Mass, and many of our in-store systems date from the 1980's, so there's no encryption. The law says encryption is required when the data is in transit, including being on portable devices, not when it's sitting in a database.

Re:

[AltairDusk]

Even if the law did I would hope it would specify the levels/types of encryption acceptable if only to avoid "Yes your honor, we were completely compliant with the law. All of our customer data was encrypted in ROT26 format".

Re:

[icebike]

Why should a sightseeing company have anything more than a credit card on file?

Re:

[icebike]

Certainly nothing more than you need to book a flight which does not include any financial data.

You are making this up. What was stolen was simply credit card numbers.

Re:

[psithurism]

Why should a sightseeing company have anything more than a credit card on file?

Maybe they should make a law against that!

Re:

[hey!]

Because they *can*. As far back as the landmark 1972 HEW report on Computers Records and the Rights of Citizens, the dangerous tendency to automatically file everything in computerized record keeping systems was obvious. The marginal cost of storing a record was lower than it had ever been before. Why not file everything you can get your hands on? You might find a use for it later. Well, it turns out there's all kinds of really bad things that can happen, especially if that information gives access to so

Re:

[icebike]

Of course that gave those same operators the ability to pull up any customer's credit card information just by typing their name. A

What happened since then is that standards of financial responsibility have fallen dramatically in the rush to make a quick buck in ecommerce.

Actually the opposite has happened.

Storing credit card numbers in your database has so many Visa/Mastercard requirements and restrictions these days that many companies simply choose not to do it at all, and ask for a cc each time you need to purchase.

Unless your software encrypts the data, forget it. Some small businesses lie and do it anyway, but its very foolish and dangerous.

I'm not.

[Anonymous Coward]

. the other side of me knows that you can only deter so much, if someone really wants in, they will gain access one way or another...

Tough shit. If a company is going to store that information, then they need to protect it. There's absolutely no reason what so ever for a sightseeing company to store credit card information. None. Customer comes back next year, well get the card number again - the card could be expired anyway.

And companies who keep it on file for things like automatic renewals at magazines - fucking Scientific American does this whether you like it or not when you subscribe online - then they must protect that data. Someo

Re:

[TaoPhoenix]

AC is right, yet he's modded flamebait.

Violation of Payment Card Industry regulations?

[PatPending]

Related story: Sightseeing Firm Overlooks Security, 110k Credit Card Numbers Stolen [threatpost.com] (emphasis added)

The database contained a variety of customer financial data, including the customer's name, address, e-mail address, credit card number, as well as the expiration date and card verification value (CVV2) data. If true, that would mean that Twin America was in violation of Payment Card Industry (PCI) regulations on data retention, which prohibit retailers from permanently storing the CVV2 data along with other card data, because it makes it far easier to generate fraudulent transactions when combined with the card data.

Twin America said it has filed a complaint with the FBI's Internet Crime Complaint Center and hired Kroll, Inc. to investigate the incident. It has also notified individuals affected by the breach and patch discovered vulnerabilities on its Web server, deployed an application layer firewall, limited access to its Web based administrative panel and changed and hardened administrative passwords throughout its organization.

Re:

[Anonymous Coward]

If true, that would mean that Twin America was in violation of Payment Card Industry (PCI) regulations on data retention

PCI compliance is not law. Industry standards are not enforceable.

Re:Violation of Payment Card Industry regulations?

[PatPending]

Not law but:

Penalties for Non-compliance

25. Are there fines associated with non-compliance of the PCI Data Security Standards?

Yes. Visa, MasterCard, and Discover Network may impose fines on their member banking institutions when merchants do not comply with PCI Data Security Standards. You are contractually obligated to indemnify and reimburse us, as your acquirer, for such fines. Please note such fines could be significant.

26. Are there fines if cardholder data is compromised?

Yes. If cardholder data that you are responsible for is compromised, you may be subject to the following liabilities and fines associated with non-compliance:

• Potential fines of up to $500,000 (in the discretion of Visa, MasterCard, Discover Network or other card companies).
• All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.
• Cost of re-issuing cards associated with the compromise.
• Cost of any additional fraud prevention/detection activities required by the card associations (i.e. a forensic audit) or costs incurred by credit card issuers associated with the compromise (i.e. additional monitoring of system for fraudulent activity).

Source: https://www.wellsfargo.com/biz/help/merchant/faqs/pci#Q25 [wellsfargo.com]

Re:

[icebike]

Ok, So that was the Attorney General of Visa that the story mentions?

Re:

[locallyunscene]

All fraud losses incurred from the use of the compromised account numbers from the date of compromise forward.

I wonder what "losses" covers exactly. Retailers are generally the only ones that lose out in credit card fraud and I doubt this money is going to them.

Re:

[PatPending]

It's my understanding that once a merchant receives an authorization number for a given transaction, the issuing credit card company is out the money, not the merchant, in this case (i.e., stolen information).

Re:

[locallyunscene]

Nope, I've worked for several online retailers. The credit card issues a chargeback stating the transaction was fraudulent. Retailers are on the hook to verify their transactions are legal.

Credit Card Companies have a very sweet deal.

Re:

[PatPending]

An authorization number is just that -- the issuer of the credit card has hereby authorized the transaction.

If the issuer knew the credit card was invalid (for whatever reason(s)), it would never have issued the authorization number in the first place.

Furthermore, an authorization number is not retroactive.

So we must agree to disagree.

Re:

[Kakari]

Oh how I wish your view prevailed, but the fact is that while the card was valid at the time the purchase was fraudulent and the purchaser effectively stole from the merchant. The payment processor (who bundles transactions up to Visa/MC/Amex/etc. networks) will pull the payment from the merchant's account without notice (see http://www.natwest.com/global/legal/business/worldpay.ashx [natwest.com] under section 8. Chargebacks and specifically 8.5)

8. CHARGEBACKS 1. 8.1 In certain circumstances, Card Issuers, Card Schemes and/or Other Financial Institutions refuse to Settle a Transaction or require repayment from Us in respect of a Transaction previously Settled and/or Remitted, notwithstanding that Authorisation may have been obtained from the Card Issuer and/or Other Financial Institution (such circumstances being a " Chargeback").

and

# 8.5 Where a Chargeback occurs, We shall immediately be entitled to debit Your Merchant Bank Account and/or make a deduction from any Remittance in accordance with clause 7.3.1 and/or invoice You in accordance with clause 7.3.2 to recover: 1. 8.5.1 the full amount of the relevant Chargeback; and 2. 8.5.2 any other costs, expenses, liabilities or Fines which We may incur as a result of or in connection with such Chargeback (" Chargeback Costs"). # 8.6 A Chargeback represents an immediate liability from You to Us and where the full amount of any Chargeback and/or any Chargeback Costs is not debited by Us from Your Merchant Bank Account or deducted from any Remittance or invoiced as referred to in clause 8.5, then We shall be entitled to otherwise recover from You by any means the full amount of such Chargeback and Chargeback Costs (or the balance thereof, as the case may be). # 8.7 We shall not be obliged to investigate the validity of any Chargeback by any Card Issuer, Card Scheme or Other Financial Institution, whose decision shall be final and binding in respect of any Chargeback.

It sucks and merchants get the shaft and as locallyunscene said, "Credi

Re:

[PatPending]

A Chargeback is an entirely different subject. (We routinely handle them every so often.)

Re:

[MichaelKristopeit314]

if amazon.com doesn't store card data, then how am i allowed to make purchases using existing saved card data?

Re:Violation of Payment Card Industry regulations?

[PatPending]

The credit card merchant services provides a hash value that is subsequently used. You may store the expiration date and last four digits.

Re:

[MichaelKristopeit317]

so the credit card merchant services provider is then storing the full card information? someone MUST be. if the hash is interchangeable with the card number, then the hash IS the card number for all intents and purposes.

Re:

[terraformer]

so the credit card merchant services provider is then storing the full card information? someone MUST be. if the hash is interchangeable with the card number, then the hash IS the card number for all intents and purposes.

It's not interchangeable. It is limited to this vendor.

Re:

[Rakishi]

It's useless unless you're able to hack into amazon's servers and initiate charges using hashed information. In which case the information is still useless since you've got much better access from the hack anyways.

So yes, your own inability to understand what's going doesn't change reality.

Re:

[Rakishi]

If you're able to do a man in the middle attack between amazon's servers and the credit card companies servers than it doesn't really matter if you have the hashed number or not. In every other case they're useless.

So once again you've shown your incompetence. Thank you for making it easy.

Re:

[pthreadunixman]

Didn't you hear? All security problems can be solved with hash functions.

Re:

[terraformer]

if amazon.com doesn't store card data, then how am i allowed to make purchases using existing saved card data?

They store data that is useless to others. They don't need to store the card's data, only data about their first transaction with you.

Re:

[terraformer]

if the data can be used to initiate future transactions, it is not useless.

If it can only be used to initiate future transaction with the original vendor, it is of limited utility to criminals. It also makes the liability for fraud limited to the vendor who got hacked, which is a nice market based mechanism for those who have crappy security to fix their problems.

Re:

[Anonymous Coward]

dude, how many slashdot accounts do you have...?

http://slashdot.org/~MichaelKristopeit313 [slashdot.org]
http://slashdot.org/~MichaelKristopeit314 [slashdot.org]
http://slashdot.org/~MichaelKristopeit315 [slashdot.org]
http://slashdot.org/~MichaelKristopeit316 [slashdot.org]
http://slashdot.org/~MichaelKristopeit317 [slashdot.org]

"you're completely pathetic."

you've got way too much free time, man...

Re:

[Anonymous Coward]

You can store card data, but not the CVV2 info. There are requirements about how that data is stored, but CVV2 cannot be stored. Ever. Even encrypted. That's the point. And you don't have to have the CVV2 to process transactions, it just helps prove it isn't a fraudulent transaction. This is to help make the physical card (or whoever holds it) the only source of this information. That's the theory anyway. It rarely works that way in practice, of course.

Re:

[MichaelKristopeit330]

you want to shield everyone from THE TRUTH?

why do you cower? what are you afraid of?

you're completely pathetic.

Test the Law

[cappp]

I'm not so sure it's a test of the law at all. At least there's no way to know without more details about how the breach occured. The law can be found here [mass.gov] (pdf). TFA states the breach occured because of an SQL injection - but nothing beyond that.

In the interests of stimulating a little chatter, the law calls for

(1) Secure user authentication protocols including:
(a) control of user IDs and other identifiers;
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect; (d) restricting access to active users and active user accounts only; and
(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
(2) Secure access control measures that:

(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

(5) Encryption of all personal information stored on laptops or other portable devices;

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

Re:

[JSG]

So, 4,6,7 and 8 would seem to apply. That should give the lawyers plenty to play with.

Re:

[cappp]

Note the use of the qualifier "reasonable"...the get out clause in every law ever written.

Re:

[mssymrvn]

The other big can of worms is the application of MA commonwealth law to a business *in another state*. MA likes to write laws like this all the time. But the reality is that MA has no jurisdiction outside of its borders. Or shouldn't - though we'll see how stupid the courts are on this one if it comes to trial.

Re:

[Anonymous Coward]

I work for a MA company that deals with personal data for several fortune 100 companies. (posting AC for obvious reasons)
The Law is a joke. The rules are so vague that no matter what precautions are taken you could be found in violation. Who defines "reasonable?" What is adequate "encryption?"

This law is just another example of rushed "Think of the children" (for children read anyone) laws that get passed these days.

Encryption not much use against SQL injection

[JSG]

The linked article mentions only that the law requires that data be held encrypted. That is not much use in this case where a SQL attack was used.

Does anyone know whether the law requires a certain standard for the front ends to the data. I'm pretty sure that PCI DSS - as another applicable standard - defines no such thing either.

Re:

[igreaterthanu]

Buffer overflows and SQL injections are the ban of open source software.

But if I pay Oracle though, it's magically secure right?

Re:

[AltairDusk]

SQL syntax works on Oracle too... Shove that user input straight into an Oracle query and you'll find SQL injection is alive and well on all SQL databases where input is not sanitized properly.

Re:

[VTI9600]

Most laws of this nature are indeed left intentionally vague...as they should be. This is so as to not put an onerous burden on companies trying to implement good security practices, not to favor one specific security vendor over another, and to maintain the flexibility needed for vendors to adapt to changes in technology.

Re:

[VTI9600]

Protecting against SQL injection attacks is much easier than making sure that all storage devices and network connections are encrypted. To use the Hitchhikers' Guide to the Galaxy analogy, encryption is like a towel. If your data is encrypted then people (sometimes rightfully) assume you've already got everything else you need to protect your customer's data from the crackers of the universe. These guys, however, clearly had none of the above.

So...

[Evets]

What is the penalty for violating the law?

Re:

[Monkeedude1212]

What happens if you are hit by a bus and don't serve your penalty?

Re:

[healyp]

What happens if you are hit by a bus and don't serve your penalty?

Then your next of kin must die of old age instead.

Re:

[Evets]

To answer my own question

It contains no specific penalties for non-compliance with the law, but could open the door to lawsuits or legal actions by the state’s attorney general.
Source [networkworld.com]

I don't think you can call a law "tough" when there are no penalties.

Re:

[inerlogic]

a lifetime senate seat....

oh wait, that's just for murders...

How are businesses supposed to comply?

[chrismcb]

How is a business supposed to comply with something like this? Are you supposed to follow the laws published in every corner of the country? [quote]Among other things, 201 CMR 17.00 requires organizations that store personal information on Massachusetts' residents to encrypt personal information at rest - in databases, servers, laptops, desktops, mobile devices. Data transmitted over wired or wireless networks also must be encrypted[/quote] I'm not exactly sure what qualifies as "personal information" but I