The FTC Puts One Security Compromise to Rest, But More Await

The Federal Trade Commission announced on Thursday a proposed settlement with the successor to CardSystems Solutions Inc., the merchant processor that gained notoriety last year as the source of the largest known compromise of financial data to date. The settlement, which did not include fines, arose out of the FTC's ninth case targeting companies whose security practices compromised consumers' private financial information, and was the first to involve a credit card processor. But security breaches are by no means a thing of the past, as authorities in Northern California investigate a hacking incident that could have compromised up to 200,000 debit cards. The incident is throwing the spotlight on retailers as the preferred target of electronic data thieves, a security expert warns. Up to 40 million card account numbers stored by CardSystems were compromised in an intrusion discovered last year. The hack led to the demise of CardSystems as an independent company and the acquisition of its assets by Solidus Networks Inc., doing business as Pay By Touch Solutions (Digital Transactions News, Oct. 17, 2005). Under the proposed settlement, Pay By Touch must implement a comprehensive information-security program and obtain audits by an independent, third-party security professional every other year for 20 years, according to an FTC news release. The security program must include administrative, technical, and physical safeguards. The FTC filed a civil complaint against CardSystems in the wake of the intrusion, alleging a variety of security lapses on the part of the firm. The FTC voted 4-0 for the proposed settlement, with one member recused. The proposal is subject to public comment until March 27, after which the commission will take a final vote. Although there are no monetary penalties, the FTC noted that CardSystems still faces potential liability under banking regulations and private lawsuits. Meanwhile, recent press reports say up to 200,000 debit card numbers may have been compromised in a data breach last fall involving a retailer in northern California. The San Francisco Chronicle identified the retailer as a Sacramento, Calif., outlet of Itasca, Ill.-based OfficeMax Inc. OfficeMax refused to confirm there had been a breach of its system, though unidentified sources in the banking industry told the Chronicle Feb. 14 that OfficeMax had made its computer system available to law-enforcement officials investigating the incident. OfficeMax, however, hasn't changed its position since last week. “OfficeMax has no knowledge of a breach in our security,” a company spokesperson told Digital Transactions News Thursday. Bogus charges apparently related to the exposed account numbers have turned up in Europe and Asia, leading investigators to suspect Russian or other Eastern European criminals may be behind the hack. Several banks, including Bank of America, Washington Mutual, and Wells Fargo, have reissued cards in the wake of such transactions, according to the Chronicle. While she doesn't have knowledge of the California case, security executive Heather Mark, director of industry marketing for Santa Clara, Calif.-based data-security firm Vormetric Inc., says retailers sometimes are surprised to learn that data can be compromised during business functions when they are extracted from a database. For instance, data used for auditing may be taken from a secure database and put into a spreadsheet or other so-called “flat file” that could be hacked. “That's a major issue because there aren't a lot of products on the market that will protect you from that,” Mark says. In addition, the new Payment Card Industry (PCI) standards drawn up by the card networks have put the heaviest pressure on merchant acquirers and processors to upgrade security and caused data thieves to turn their attention to retailers, she adds. “I know hackers are increasingly going after retailers,” Mark says.