Learning from leaks

When a MasterCard investigation in May revealed that hackers had gained access to 40 million credit card numbers, it sent shock waves through the financial industry. It also highlighted broad implications for the way average Canadian companies handle information.

by Jacob Stoller

This spring, the credit card industry suffered perhaps the largest breach of confidential information in history. This happened in spite of high profile measures to tighten security and minimize credit card fraud, and the event has left the industry reassessing their privacy measures. However, this isn’t just about credit cards — the same challenges need to be addressed by any company that gathers and stores private information about its customers.

A couple of interesting twists make this event stand out. First of all, it was not Visa or MasterCard that was hacked, but a subcontractor whose name would mean little to the average consumer. Secondly, although the leak itself was the work of a hacker, it was made possible by improper activity on the part of the subcontractor. CardSystems Solutions, third party provider of payment processing services to the industry, had retained information, allegedly for “testing purposes,” in contravention of their privacy agreement. The data that was stolen shouldn’t have been there to steal.

Expanding audit obligations

As consumers, we’re lucky. Major credit card providers don’t hold us liable for fraudulent credit card transactions. They’ve also done an impressive job of detecting suspicious transactions. As a result, Canadians have become complacent. That’s okay if you’re a consumer, but not if you are responsible for securing your customers’ private information.

This event highlights the importance of scrutinizing the activities of third parties. The Personal Information Protection and Electronic Documents Act (PIPEDA) and its Provincial equivalents stipulate that all Canadian companies have the ultimate responsibility for securing the private information they collect, even when the information is in the hands of a subcontractor. Furthermore, the law requires active monitoring, and the ability to demonstrate compliance.

This adds a whole new angle to a company’s audit obligations, according to Constantine Karboliotis, head of the security and privacy practice for consulting firm CGI in Toronto. “Companies should be looking at their subcontractors to see how well they’re performing these obligations, because they don’t escape the liability.”

Karboliotis suggests that many companies’ privacy practices may need serious revision. “The first step is to review what contracts are in place, because it may require some sort of contractual review. Then you start working into contract audit provisions so that you audit the subcontractors’ handling of personal information. In that fashion, you now bring under control of the primary party responsible — the party collecting the information — the ability to monitor their subcontractor performance. Then you actually have to do that.” This means establishing a designated security officer, who has the contractual obligation to review security logs, and to report any irregularities to the contracting company. Execution can involve regular inspections, spot audits, and rigorous evaluation of IT and other protection mechanisms.

The insider threat

Conversely, companies also have to be prepared to share their procedures and security logs with companies for whom they subcontract. The ability to do this succinctly will make life easier for the primary contractor.

It’s not only partners that have to be managed — employees have to be included as well. Karboliotis mentions the insider threat. “Everyone thinks of security as guarding the perimeter — keeping the bad people from getting in. Whereas, oftentimes, the bad people are already in. They work for you.”

John Parkinson, chief technologist for Cap Gemini, Americas Region, agrees. “This is probably the toughest scenario to deal with.” Parkinson recommends rigorous procedures to his clients. “I would do this in the order that has the most impact. Background checks, good human resource policies, and good supervisory models for the people who could hurt you. Trusts are verified. Secondly, good process design and good compliance monitoring. Have people check that there’s no single actor who can do you a lot of damage. And then third, watch for technologies that reduce the threat.”

Monitoring tools that can detect internal wrongdoing are highly sophisticated, and technology in this area is still emerging. Most companies are accustomed to the traditional network security measures — firewalls, VPNs, and increasingly, intrusion detection systems. To monitor against suspicious behavior by trusted insiders, you need to be able to detect any irregular activity that could involve the data in question. As Karboliotis points out, “There are many software tools that allow you to establish monitoring and auditing capabilities of systems so that you can set the rules. If you’re supposed to get rid of data after 30 days and you haven’t, then a bell goes off someplace.”

IT imperfections — live with them

A key to this technology is the capability to do exception monitoring. This means only unusual events that deviate from requirements are captured, making security logs manageable and auditable. Another key is making sure security logs can’t be altered. Says Karboliotis, “The database administrator needs to be able to do just about everything, but anything that’s unusual should always be recorded, and it should be beyond anybody’s capability to hide evidence that that was done.”

However, no system is perfect, as Parkinson points out. “How do I ensure that process by which code gets into production on my systems is monitored, managed, checked, and sufficiently thorough that it is extraordinarily difficult to get that malicious code into the system? In my view you can never be absolutely sure, you can just keep the threshold moving up so that it’s less and less likely that anybody will be able to do what happened at CardSystems.”

In other words, application level security, like network security, is an ongoing race against the hackers. It’s also a very costly one, and may involve some judgment calls. According to Parkinson, officers in small to mid-sized companies may have to decide how much protection they can afford. “For many smaller companies, it’s a very tough decision. Nobody wants to be caught out like this, but there’s a level of reasonableness and materiality where you would say ‘I did everything I reasonably could, I made it reasonably difficult, but I got caught. Somebody targeted me.’”

The relative nature of security points out another caveat; data privacy can’t be ensured through compliance alone. For one thing, no law or standard can come close to anticipating all of the potential threats. Furthermore, compliance has the tendency to become an end in itself, where companies comply based on what they can get away with, and then consider the matter closed. The law provides an essential baseline and a common framework for companies to work with, but there has to be a genuine intent to succeed. Fear of the damage to reputation that can occur with a major mishap is probably the strongest incentive out there.

Karboliotis points out that regulation is only required to compel people to do what they already should be doing. “It’s ironic that we have to legislate common sense, but we do.” Ultimately, he says, it all boils down to integrity. “Good governance around information technology, in particular in relation to personal information, is do what you say you’re going to do. If you’re going to collect information and only use it for certain purposes, do that. Be clear about what you’re doing.” 

Jacob Stoller is an independent writer and researcher based in Toronto. He can be reached at jacob@stollerstrategies.com.

Top