Breach at Security Vendor Shocks Industry

Security and law enforcement professionals are appalled that their personal information was leaked by Guidance Software.

Security and law enforcement professionals are appalled that their personal information was leaked by Guidance Software, a security software and training company they say should have known better than to leave an unencrypted database exposed on the Internet.

"I was shocked that a company like Guidance would be this sloppy," said Peter Garza, CEO of EvidentData, a computer forensics and network security company that counts itself among Guidances customer base. "My first response was that I was shocked they would have an unencrypted database that was accessible via the Internet," Garza said. "I would think any vendor that has a system connected to the Internet would be more responsible, but as a security company, [Id think] theyd be even more adept."

Guidance last month sent a letter to its customers advising them that on Dec. 7 it discovered a security breach on its customer records database. This wasnt your typical breach—this was a crime Guidance customers described as being of national security proportions. The database contained credit card numbers of some 3,800 people, including investigative professionals from the National Security Agency, FBI and CIA, as well as heads of law enforcement worldwide.

Guidance stated in its letter that it believed that the compromised database contained names, addresses, credit card numbers and expiration dates. Most troublesome was the exposure of credit card verification numbers, given that it is illegal to retain that data in the first place.