Monthly Archive January 2016

PCI Breach Trend Report September 2015 – January 2016

The period September 2015 – January 2016 is covered in this issue of SRM’s breach trend report which looks at businesses that had a requirement for a PFI investigation. The data presented looks at the most common types of businesses affected as well as their trading size to present a broad picture of how breaches can occur across the industry.

Breach Trend Report September 2015 – January 2016

PBX fraud costing millions

In spite of awareness of the enormous financial implications of PBX fraud since 2013, cases continue to come to light.  Police force cyber crime teams have recently been dealing with new cases where business PBX telephone exchanges have been exploited towards the end of 2015 but the fraud has only come to light when inflated bills appeared in January. The National Fraud Intelligence Bureau refers to this as“PBX Dial through fraud” and instances should be reported to them on through their online fraud reporting tool.

PBX stands for Private Branch Exchange, a private telephone network used within a company. Users of PBX phone systems share a number of outside lines for making external phone calls. In the majority of cases companies have allowed themselves to be vulnerable to attack by not changing the default passwords/PIN on new equipment when purchased. A general guide to safer practice is as follows:

  • Use strong pin/passwords for voicemail system, ensuring they are changed regularly.
  • If you still have your voicemail on a default pin/password change it immediately.
  • Disable access to your voice mail system from outside lines. If this is business critical ensure the access is restricted to essential users and they regularly update their pin/passwords
  • If you do not need to call international numbers/premium rate numbers, ask your telecoms provider to place a restriction on your telephone line.
  • Consider asking your network provider to not permit outbound calls at certain times e.g. when your business is closed
  • Ensure you regularly review available call logging and call reporting options.
  • Regularly monitor for increased or suspect call traffic.
  • Secure your exchange and communications system, use a strong PBX firewall and if you don’t need the function, close it down!
  • Speak to your maintenance provider to understand the threats and ask them to correct any identified security defect.



Landmark US legal case to make cybersecurity specialists accountable

In a landmark case, Affinity Gaming is seeking $100,000 in damages from its cybersecurity provider Trustwave over how the company allegedly handled a data security breach which cost the casino operator $1.2 million.

If successful, this legal action in the US may have implications here in Britain, with the potential to make cyber security professionals operating under US law fully accountable to their clients. We at SRM have no issue with this. All cybersecurity professionals should welcome scrutiny and we would certainly be happy for any potential clients to review our track record in the investigation and containment of data security breaches. As an industry it is important that we are vigilant at all times and companies operating in this field should maintain a forensic and meticulous approach throughout any investigation.

The lawsuit has been filed in the US District Court in Nevada, the base and headquarters of Affinity. As reported in The Financial Times, Trustwave was engaged by Affinity to investigate and contain a data breach which exposed the data up to 300,000 of its customers.

Affinity claims that, while Trustwave was investigating the initial data breach, a second cyberattack took place. They allege that the security company missed this additional attack, declaring at the time that the threat had been contained. And although Affinity had a $5 million cyberinsurance policy in place, they spent $1.2 million on dealing with the breaches. The company is seeking $100,000 in damages from Trustwave.

The landmark lawsuit opens up fresh avenues of liability when it comes to cybersecurity, cyberattacks and data breaches. Until now when cybersecurity specialist companies have been brought in following a data breach, the companies which engaged them would usually take all necessary steps to appease customers but would also take the financial hit and the loss of reputation that resulted. There has not been, until now, a case where a cybersecurity specialist was embroiled in a legal battle as to how they had handled and contained a security issue.

Affinity says that it “takes seriously its data security obligations” and had regarded finding a specialist with data breach response expertise to be of “paramount importance.” Trustwave has an international presence with offices in Chicago, San Paulo, London and Sydney. However, Affinity is said to have been disappointed with the firm’s performance.

Soon after Trustwave had finished its investigation into the data breach in 2013, claiming that it had been contained, Affinity discovered that its data systems were still compromised. They hired a second cybersecurity consultancy to perform penetration testing at which point further suspicious activity was identified in the form of a malware program called “Framepkg.exe,” which, it is claimed,  Trustwave had found but not contained, or sought to remediate, during its investigation.

Trustwave denies any negligence on its part and a spokesperson said: “we dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court.” We await the verdict of the court with interest.

Kane Cutler: youngest PFI in the world

Newcastle-based Kane Cutler becomes youngest cybercrime expert drafted into exclusive Payment Card Industry investigation team

Newcastle-based Kane Cutler has been accepted by the Payment Card Industry Security Standards Council (PCI SSC) as a Payment Card Industry Forensic Investigator (PFI). At 26 years old this exclusive accreditation makes Kane one of, if not the youngest, PFI in the world. Only three companies in the UK operate in this field and Security Risk Management (SRM) which Cutler joined in early 2015 is one of these. He joins fellow SRM consultants Chris McGee and Andrew Linn in this select field.

Kane’s new role puts him at the frontline in investigating cybercrime. At the request of the PCI, his forensic investigation work will often deal with theft, either of significant sums from online transactions or in terms of personal data theft, putting individuals at risk of a host of other fraud issues. He is also likely to be called upon to deal with major incidents of data theft such as those recently suffered by TalkTalk and Wetherspoons.

To become a PFI, you must be a PCI Data Security Standard Qualified Security Assessor (QSA) which requires 5 years’ industry experience. In addition to this, Cutler is an experienced Information Security Officer and Penetration Tester and has significant experience working with the ISO 27001 standard as both an implementer and as an auditor, including identifying risks and implementing remediation recommendations within an Information Security Management System (ISMS).

As an Information Security Consultant with SRM, Kane Cutler is also responsible for diagnosing and remediating any issues that arise in relation to firewalls, protection software, web filters, mail filters, DNS infrastructure, application testing, and intrusion detection systems.

SRM Director Brian Fenwick, who was responsible for recruiting Kane, commented: “As a North East based company with consultants based nationwide we were delighted to recruit Kane in the North East and to assist him to broaden his cyber security expertise. Kane has joined a cutting edge Cyber Security company that has the intention to be at the head of PCI Forensic Investigation in Europe.”

SRM Blog

SRM Blog