"I was shocked that a company like Guidance would be this sloppy," said Peter Garza, CEO of EvidentData, a computer forensics and network security firm that counts itself among Guidances customer base.
"My first response was that I was shocked they would have an unencrypted database that was accessible via the Internet," Garza said. "I would think any vendor that has a system connected to the Internet would be more responsible, but as a security company, [Id think] theyd be even more adept."
Guidance last week sent a letter to its customers advising them that on Dec. 7 it had discovered a security breach on its customer records database. This wasnt your typical breach—this was a crime that Guidance customers described as being of national security proportions. The database contained credit card numbers of some 3,800 people, including investigative professionals from the NSA, FBI and CIA, as well as heads of law enforcement worldwide.
"In terms of homeland security, the individuals participating in Guidance training are tasked with ensuring the safety of the U.S. and its infrastructure," an EvidentData spokesperson said in an e-mail exchange. "Because of this, the breach can easily be correlated to break-in of national security proportions."
Guidance said in its letter that it believed that the compromised database contained names, addresses, credit card numbers and expiration dates. Most troublesome of all was the exposure of credit card verification numbers, given that it is illegal to retain that data in the first place.
Guidance has been working with the U.S. Secret Service as it investigates the crime. It has deleted all of its customers credit card information from its database, Guidance said in the letter, and is "confident" that the intrusion has been contained.
"While this event is extremely troubling, we are confident, based on an immediate forensic analysis, that the intrusion has now been effectively terminated and our network has been secured," Guidance CEO John Colbert said in the letter. "In addition, we are reviewing our operations and redoubling our efforts to ensure that customer information is secure."
But that assurance didnt keep the thieves from racking up some $20,000 in unauthorized purchases of pay-per-click Google advertising on the American Express bill of one customer. According to the Washington Post, computer forensics investigative firm Kessler International received the Guidance letter at the same time it also received an American Express bill containing the unauthorized charges.
Some customers are grumbling that, given the sensitive nature of the customer base, they would have preferred immediate notification, as opposed to getting a snail-mail notification a week after the breach was discovered.
"Many three-letter agencies, state and local professionals like myself that are in computer forensics in the civil practice" have had their information exposed, Garza said. "They have a database of whos who on investigating computer crime, and that was compromised. Their response to the community should have been immediate, not two weeks later or a week later."