Sunday, July 22, 2007

Disney learns (the hard way) that insiders can be the biggest threat to information security

In the world of data breaches, nothing is sacred, not even Disney. It has come to light that a subcontractor (Alta Resources, Inc.) had an employee, who sold credit card information to federal agents.

Jaikumar Vijayan, Computerworld reports:

A subcontractor working for a company that processes and fulfills orders for the Disney Movie Club sold credit card numbers and other account information belonging to an unknown number of customers to undercover law enforcement agents.

The May 2007 incident has prompted Disney to send out letters to an unspecified number of customers informing them about the breach.
Jaikumar tried to get Disney to comment, but in standing with data breach protocol, they declined to do so. He was able to get one of the letters sent out to the customers, who were breached.

The letter reassured the "compromised" by stating:

Law enforcement officials have informed us that there is no indication that your information was used to make improper purchases or sold to anyone other than federal law enforcement agents," Flynn said in his letter. "Nevertheless, in an abundance of caution, we have informed representatives of Visa, MasterCard, American Express and Discover of these events."

Given the wholesomeness of Disney, their customers could be considered lucrative targets for identity theft. Most of them probably have good credit.

Either, the person involved was caught right from the beginning, or he isn't talking.

They are also saying that CVV/CVC codes were not compromised. CVV/CVC codes are three-digit codes added to a payment card as an extra layer of security.

I went to the site and didn't see CVV/CVC codes being asked for after pretending to buy some merchandise from them? Granted, I didn't click "buy," which would have sent my credit card information to them, but I completed the rest of the steps.

Not all merchants ask for this code, when someone makes a purchase, or payment over the Internet.

It amazes me how optimistically data breaches are presented.

In an Orlando Sentinel article about the breach, officials at Disney were quick to point out they had been "independently certified by under the Payment Card Industry Data Security Standard."

PCI data security protection standards are being pushed on merchants right now -- but as long as one dishonest person is given access, or is tricked into doing so -- no amount of security is going to protect information.

PCI data security protection standards are a step in the right direction, but need to be combined with other sound practices to protect businesses from being compromised.

PC World article, here.

Update: NetworkWorld's Buzzblog is quoting a Orlando Sentinel story that David Haltinner of Wisconsin has been charged in the case. They also have a link showing a copy of the official letter, here and a letter from a customer, claiming their card, which was on file with Disney had fraudulent purchases ($8,000.00 worth) put on it.

The writer of the letter did try to report this, but was told that it probably didn't tie into this breach. Finding the point of compromise in a credit card fraud case is difficult to say the least. Perhaps, this is why the recent GAO report on data breaches claims very little fraud is being tied into the compromises they studied?

With all the entities being compromised only revealing as little as they have to, there is a lot of plausible deniability.

The Buzzblog got the customer notification letter from someone at, who tracks data breaches on their site, here.

No comments: