The indictment of Albert Gonzalez and two other co-conspirators in connection with data breaches resulting in 130 million credit card numbers stolen is massive news.  This is the largest breach of credit card numbers ever recorded, and the fact that someone was caught speaks volumes about the efforts of law enforcement officials.  However, this indictment doesn’t change the fact that the numbers were still compromised and the corporate victims—the businesses that had data stolen off of their networks—have suffered irreparable damage both in terms of regulatory compliance and corporate reputation.  There are many lessons to be learned about this incident.  The GraVoc News Blog will outline this information in a two-part series.

  • Albert Gonzalez is already currently in prison for his involvement of a previous high-profile data breach involving TJX, Dave & Buster’s, BJ’s, and other companies.  In his career as a hacker, he very well may have stolen 200 million credit card numbers!  Each of these operations, while certainly sophisticated, were reasonably small.  This news shows how readily available credit card numbers can be if a network is violated.
  • This attack was well-planned and well-researched.  The scope of this group’s “research and development” included driving with a computer to evaluate the security (or lack thereof) of potential victims’ networks using a variety of tools, many of which may also be used by companies like GraVoc to help companies identify vulnerabilities in a network’s perimeter.  Potential victims were also qualified by researching the means of payment processing.
  • The attack was carried out with a SQL injection and installation of malware, exploiting network vulnerabilities that were previously identified and documented.  These attacks typically exploit “poorly-coded” applications, and when these vulnerabilities are initially found, they are documented and resolved in an updated version of the application.  In other words, many of these vulnerabilities are the result of a company’s lack of diligence regarding updating software versions.
  • Experts agree that despite the diligent preparation for this attack, an SQL injection is not a difficult exploit to execute.  While Albert Gonzalez may be behind bars, he is hardly the only hacker in the world who can exploit the same vulnerabilities in this manner.

GraVoc Associates, Inc. of Peabody, MA, is dedicated to ensuring its clients in Greater Boston, New England, and beyond are aware of the ever-changing environment of information security.  The GraVoc News Blog will continue documenting four other “lessons learned” early next week.  For more information regarding GraVoc’s services in information security, information systems, and technological and professional services, please visit https://www.gravoc.com.