PCI Breach Trend Report September 2015 – January 2016
The period September 2015 – January 2016 is covered in this issue of SRM’s breach trend report which looks at businesses that had a requirement for a PFI investigation. The data presented looks at the most common types of businesses affected as well as their trading size to present a broad picture of how breaches can occur across the industry.
Breach Trend Report September 2015 – January 2016
PCI Breach Trend Report June – August 2015
The period June – August 2015 is covered in this issue of SRM’s breach trend report which looks at businesses that had a requirement for a PFI investigation. The data presented looks at the most common types of businesses affected as well as their trading size to present a broad picture of how breaches can occur across the industry.
Breach Trend Report June – August 2015
Landmark US legal case to make cybersecurity specialists accountable
In a landmark case, Affinity Gaming is seeking $100,000 in damages from its cybersecurity provider Trustwave over how the company allegedly handled a data security breach which cost the casino operator $1.2 million.
If successful, this legal action in the US may have implications here in Britain, with the potential to make cyber security professionals operating under US law fully accountable to their clients. We at SRM have no issue with this. All cybersecurity professionals should welcome scrutiny and we would certainly be happy for any potential clients to review our track record in the investigation and containment of data security breaches. As an industry it is important that we are vigilant at all times and companies operating in this field should maintain a forensic and meticulous approach throughout any investigation.
The lawsuit has been filed in the US District Court in Nevada, the base and headquarters of Affinity. As reported in The Financial Times, Trustwave was engaged by Affinity to investigate and contain a data breach which exposed the data up to 300,000 of its customers.
Affinity claims that, while Trustwave was investigating the initial data breach, a second cyberattack took place. They allege that the security company missed this additional attack, declaring at the time that the threat had been contained. And although Affinity had a $5 million cyberinsurance policy in place, they spent $1.2 million on dealing with the breaches. The company is seeking $100,000 in damages from Trustwave.
The landmark lawsuit opens up fresh avenues of liability when it comes to cybersecurity, cyberattacks and data breaches. Until now when cybersecurity specialist companies have been brought in following a data breach, the companies which engaged them would usually take all necessary steps to appease customers but would also take the financial hit and the loss of reputation that resulted. There has not been, until now, a case where a cybersecurity specialist was embroiled in a legal battle as to how they had handled and contained a security issue.
Affinity says that it “takes seriously its data security obligations” and had regarded finding a specialist with data breach response expertise to be of “paramount importance.” Trustwave has an international presence with offices in Chicago, San Paulo, London and Sydney. However, Affinity is said to have been disappointed with the firm’s performance.
Soon after Trustwave had finished its investigation into the data breach in 2013, claiming that it had been contained, Affinity discovered that its data systems were still compromised. They hired a second cybersecurity consultancy to perform penetration testing at which point further suspicious activity was identified in the form of a malware program called “Framepkg.exe,” which, it is claimed, Trustwave had found but not contained, or sought to remediate, during its investigation.
Trustwave denies any negligence on its part and a spokesperson said: “we dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court.” We await the verdict of the court with interest.
Kane Cutler: youngest PFI in the world
Newcastle-based Kane Cutler becomes youngest cybercrime expert drafted into exclusive Payment Card Industry investigation team
Newcastle-based Kane Cutler has been accepted by the Payment Card Industry Security Standards Council (PCI SSC) as a Payment Card Industry Forensic Investigator (PFI). At 26 years old this exclusive accreditation makes Kane one of, if not the youngest, PFI in the world. Only three companies in the UK operate in this field and Security Risk Management (SRM) which Cutler joined in early 2015 is one of these. He joins fellow SRM consultants Chris McGee and Andrew Linn in this select field.
Kane’s new role puts him at the frontline in investigating cybercrime. At the request of the PCI, his forensic investigation work will often deal with theft, either of significant sums from online transactions or in terms of personal data theft, putting individuals at risk of a host of other fraud issues. He is also likely to be called upon to deal with major incidents of data theft such as those recently suffered by TalkTalk and Wetherspoons.
To become a PFI, you must be a PCI Data Security Standard Qualified Security Assessor (QSA) which requires 5 years’ industry experience. In addition to this, Cutler is an experienced Information Security Officer and Penetration Tester and has significant experience working with the ISO 27001 standard as both an implementer and as an auditor, including identifying risks and implementing remediation recommendations within an Information Security Management System (ISMS).
As an Information Security Consultant with SRM, Kane Cutler is also responsible for diagnosing and remediating any issues that arise in relation to firewalls, protection software, web filters, mail filters, DNS infrastructure, application testing, and intrusion detection systems.
SRM Director Brian Fenwick, who was responsible for recruiting Kane, commented: “As a North East based company with consultants based nationwide we were delighted to recruit Kane in the North East and to assist him to broaden his cyber security expertise. Kane has joined a cutting edge Cyber Security company that has the intention to be at the head of PCI Forensic Investigation in Europe.”