Stories of major data breaches continue to roll in. One victim announced during the spring was hard drive maker LaCie (now owned by Seagate). In March the firm confirmed a security blog’s report that its customer data was exposed to hackers for nearly a year. For companies whose security breaches become public the result is a serious and expensive embarrassment. But for consumers and business customers the real concern is the breaches that we don’t know about.
As the KrebsOnSecurity.com blog reports, LaCie acknowledged the nearly year-long breach after the blog published evidence that hackers had broken into the company’s credit card data system.
A statement by the company confirmed that “the information that may have been accessed by the unauthorized person includes name, address, email address, payment card number and card expiration date for transactions made between March 27, 2013 and March 10, 2014.” As in several other recent major breaches, LaCie’s troubles can be traced to security vulnerabilities in Adobe’s widely used ColdFusion software.
KrebsOnSecurity also reports that according to “multiple sources with knowledge of the attackers and their infrastructure,” the LaCie attack was mounted by a group tied to several high-profile attacks last year. These include breaches at Adobe itself that compromised customer credit card information, and also released source code for Adobe’s popular Photoshop software.
The lessons to be drawn from this experience are that security breaches continue to expose sensitive customer information. These breaches are not haphazard. They are carried out in a coordinated way by highly organized teams of cyber-criminals whose technological fingerprints security professionals can recognize.
Yes, it would be better for everyone if the corporate victims of these attacks owned up quickly to the fact of breaches, instead of staying mum until exposed by security bloggers. But the reality is that the worst data breaches are the ones that only the cyber-thieves themselves yet are aware of.
Does your company have a plan in place to protect not only its own data stores, but the sensitive information that it must provide to its suppliers and other business partners. Let GRT Corporation be your partner in providing effective, practical security tools that meet your organization’s budget and needs.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”