By Brian Krebs
washingtonpost.com Staff Writer
December 19, 2005
Guidance Software -- the leading provider of software used to diagnose
hacker break-ins -- has itself been hacked, resulting in the exposure
of financial and personal data connected to thousands of law
enforcement officials and network-security professionals.
Guidance alerted customers to the incident in a letter sent last week,
saying it discovered on Dec. 7 that hackers had broken into a company
database and made off with approximately 3,800 customer credit card
numbers. The Pasadena, Calif.-based company said the incident occurred
sometime in November and that it is working with the U.S. Secret
Service on a more detailed investigation.
Michael G. Kessler, president of New York City-based
computer-forensics investigative firm Kessler International, received
a letter notifying him that the company's American Express card was
among those compromised by the attackers. Kessler received the notice
from Guidance at the same time that a company credit-bill arrived with
what he said were $20,000 in unauthorized charges for pay-per-click
advertising at Google.com.
"I just got our American Express bill and nearly fell out of my
chair," Kessler said. "You'd think Guidance would be the last company
this kind of thing would happen to."
Guidance's EnCase software is used by hundreds of security researchers
and law enforcement agencies worldwide, including the U.S. Secret
Service, the FBI and New York City police. John Colbert, the company's
chief executive officer, said Guidance alerted all of its customers
less than two days after discovering the break-in, and that it would
no longer store customer credit card data.
"This certainly highlights the fact that intrusions can happen to
anybody and that nobody should be complacent about security," he said.
Colbert declined to discuss further details of the attack, citing the
Guidance stored customer records in unencrypted databases, and
indefinitely retained customers' "card value verification" (CVV)
numbers, the three-digit codes on the back of credit cards that are
meant to protect against fraud in online and telephone sales,
according to Colbert and the notification letter sent to customers.
Merchant guidelines published by both Visa and Mastercard require
sellers to encrypt customer credit-card databases. They are also
prohibited from retaining CVV numbers for any longer than it takes to
verify a given transaction.
Companies that violate those standards can be fined $500,000 per
violation. Credit card issuers generally levee such fines against the
bank that processes payment transactions for the merchant that commits
the violations. The fines usually are passed on to the offending
Secret Service and FBI customers were among those whose information
was included in the hacked database, Colbert said, but he declined to
say whether credit card information belonging to those agencies was
Secret Service spokesman Eric Zahren would only confirm that the
agency is investigating the break-in. FBI officials could not be
immediately reached for comment.
Kessler said several of his company's employees also received notices.
Among the items Guidance said were taken by hackers were company
employee's names, addresses, telephone numbers, credit card numbers,
card expiration dates and card verification numbers.
Another security professional who got the notification letter said he
was surprised that the company did not detect the intrusion for nearly
two weeks, a lapse in time that could make it much more difficult to
catch the perpetrators.
"Unfortunately, most cyber crimes require being worked very quickly in
order to gather data before it is purged either by attackers or just
in the normal course of business," said Doug Rehman, president of
Rehman Technology Services in Mount Dora, Fla., who learned that his
credit card and personal data had been exposed.
"Hopefully this incident will be a call for our community to wake up,
particularly the vendors who ought to be among the forefront of in
dealing with security issues," Rehman said.
The intrusion at Guidance caps a year marked by an unprecedented
number of disclosures about hacker break-ins at major corporations
that hold customer data. Many of those attacks targeted law
enforcement entities indirectly or directly. In March, data aggregator
LexisNexis acknowledged that hackers had illegally accessed
information on more than 310,000 consumers, an attack that was later
determined to have been launched after hackers broke into computers
used by at least two separate police departments.
Last week, investigators at CardCops.com found that a digital
intrusion at a company that manufactures police name badges had
compromised the personal information and credit card accounts
belonging to dozens of police departments and officers.
Krebs is a reporter for washingtonpost.com.
=A9 2005 Washingtonpost.Newsweek Interactive
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.