Security and law enforcement professionals are appalled that their personal information has been leaked by Guidance Software Inc., a security software and training company they say should have known better than to leave an unencrypted database exposed on the Internet.
“I was shocked that a company like Guidance would be this sloppy,” said Peter Garza, CEO of EvidentData, a computer forensics and network security firm that counts itself among Guidances customer base.
“My first response was that I was shocked they would have an unencrypted database that was accessible via the Internet,” Garza said. “I would think any vendor that has a system connected to the Internet would be more responsible, but as a security company, [Id think] theyd be even more adept.”
Guidance last week sent a letter to its customers advising them that on Dec. 7 it had discovered a security breach on its customer records database. This wasnt your typical breach—this was a crime that Guidance customers described as being of national security proportions. The database contained credit card numbers of some 3,800 people, including investigative professionals from the NSA, FBI and CIA, as well as heads of law enforcement worldwide.
“In terms of homeland security, the individuals participating in Guidance training are tasked with ensuring the safety of the U.S. and its infrastructure,” an EvidentData spokesperson said in an e-mail exchange. “Because of this, the breach can easily be correlated to break-in of national security proportions.”
Guidance said in its letter that it believed that the compromised database contained names, addresses, credit card numbers and expiration dates. Most troublesome of all was the exposure of credit card verification numbers, given that it is illegal to retain that data in the first place.
Guidance has been working with the U.S. Secret Service as it investigates the crime. It has deleted all of its customers credit card information from its database, Guidance said in the letter, and is “confident” that the intrusion has been contained.
“While this event is extremely troubling, we are confident, based on an immediate forensic analysis, that the intrusion has now been effectively terminated and our network has been secured,” Guidance CEO John Colbert said in the letter. “In addition, we are reviewing our operations and redoubling our efforts to ensure that customer information is secure.”
But that assurance didnt keep the thieves from racking up some $20,000 in unauthorized purchases of pay-per-click Google advertising on the American Express bill of one customer. According to the Washington Post, computer forensics investigative firm Kessler International received the Guidance letter at the same time it also received an American Express bill containing the unauthorized charges.
Some customers are grumbling that, given the sensitive nature of the customer base, they would have preferred immediate notification, as opposed to getting a snail-mail notification a week after the breach was discovered.
“Many three-letter agencies, state and local professionals like myself that are in computer forensics in the civil practice” have had their information exposed, Garza said. “They have a database of whos who on investigating computer crime, and that was compromised. Their response to the community should have been immediate, not two weeks later or a week later.”
But other customers were willing to cut Guidance some slack, given the nature of a network breach. Mitch Dembin, an assistant U.S. attorney and cybercrime coordinator for the Southern District of California, as well as a one-time customer of Guidance, said that he could understand the snail-mail notification approach, given that a company in Guidances position might not even be sure that its systems would be secure enough to send e-mail without further compromise of sensitive data.
“Recognizing your system has been compromised, are you comfortable using e-mail to contact customers?” he said. “With mail, youre avoiding the possibility of electronic compromise. Although its recognized as significantly more expensive for companies to use the mail, to do so, I think, is to ensure the customer gets the notice, which you cant ensure through e-mail. Particularly since your system has suffered at least one known compromise.”
The lessons the breach teaches are already well-known, Dembin said, given that in this day and age, everybody knows the value of encrypting the database. That doesnt make encryption a straight-forward choice, however. “There are some difficulties, including cost, in encrypting database information, particularly when its a live database,” he said. “Its not so simple as saying, Encrypt it. If you need the data quickly, if the data is active, theres going to be a performance hit. Its just not so easy. If it was so easy to do, yes, by now everyone would have a solution in place and be doing it.”
Retention of credit card data is another problem entirely, Dembin said—one thats arisen after credit card systems had already come online.
“When we first started taking credit card information online, I dont think these concerns existed,” he said. “These concerns have become far more significant now, and card companies have combined to require that vendors only keep certain information a certain amount of time. But again, thats an adjustment [you have to make] to the software. It seems to me the kind of thing that if it was easy, everybody would do it. It might require tweaks, updates or changes that companies are planning for but they hope to get to before [disaster strikes].”
In the meantime, users like Garza arent planning to stop using Guidance software, which he called “probably the most widely used computer forensic software in the Windows environment.”
Hell just be more careful next time he goes back for training or software, he said. “Ill pay with check, not by credit card,” he said.