Cyber security breaches can cause lasting reputational damage for companies who fall victim, and potential legal action by customers too. To add to this there is now the confirmed risk of enforcement action by the US Federal Trade Commission (FTC).
In a ruling by the US Court of Appeal for the Third Circuit, poor cybersecurity is to be classed as a form of 'unfair competition', which places it within the remit of the FTC to regulate. This interpretation was challenged by the hotel group Wyndham Worldwide, which was on the receiving end of an FTC lawsuit that had begun in June 2012. The District Court sided with the FTC, and now the Court of Appeal has concurred. The original lawsuit continues, but Wyndham have suffered a serious setback.
Lax cybersecurity is unfair because it can result in harm to customers, and because the company responsible for the IT system is better placed to prevent that harm than the customers themselves. In this case, it was not just one security breach, but three, which prompted the FTC to take action. According to the FTC complaint, these resulted in "the compromise of more than 619,000 consumer payment card account numbers, the exportation of many of these account numbers to a domain registered in Russia, fraudulent charges on many consumers' accounts, and more than $10.6 million in fraud loss".
The first security breach began with an attempt to guess user IDs and passwords. This should be ineffective on a securely-managed network, and is not difficult to detect. In this event, the company did notice a surge in account lockouts due to incorrect passwords, denying access to 212 of their users at one point, but were unable to isolate the computer responsible because they could find no record of where it was physically located. That the network had been successfully compromised was not realized until about four months later.
The second breach occurred in March 2009, but was not discovered until May that year when customers began to complain about fraudulent payment card charges. The method of entry was different, but the malware used by the attackers was the same as before. Similarly, the third attack went unnoticed until a credit card issuer raised the alarm.
In all three cases, 'memory scalping' software was used to collect payment card details as they were being processed by the computer. Additionally, during the first breach the attackers discovered account information for a large numbers of consumers that had been stored without encryption.
Wyndham argued that it should not be held responsible for the criminal acts of third parties. The Court disagreed, endorsing the FTC’s argument that the breaches were foreseeable and preventable. Shortcomings that the FTC took issue with included:
- The lack of firewalls to segregate Windham networks, thereby allowing a breach of one network to lead to a breach of others;
- Inappropriate configuration of its payment card software, causing account information to be stored without encryption;
- Allowing computers with outdated operating systems and known security vulnerabilities to be connected to their network;
- Failure to ensure the use of hard-to-guess passwords; and
- Failure to employ reasonable measures to detect and respond to intrusions.
No company can expect to achieve perfect protection against cyber threats, but reasonable precautions can greatly reduce the risk. They will also help you show that you have exercised due diligence should the worst happen, reducing the likelihood of an unsympathetic response from the regulator or the public. Nettitude can help you to achieve this. We can provide:
- Cyber Security Testing, to detect issues with insecure software, insecure configurations, and insecure behavior by users;
- Cyber Incident Response, to ensure that defense-in-depth is complemented by response-in-depth should an intrusion be detected; and
- Information Security Consultancy (ISC) Services, to ensure that risks are managed in a structured, proportionate manner.