Hacking Incident Big, But Not Necessarily Uncommon

The hacking incident at card transaction processor CardSystems Solutions Inc. that put as many as 40 million accounts at risk for fraud may be notable for its sheer scope. But experts around the industry aren't surprised that such an attack could occur, and they hope this latest incident spurs the financial-services industry to take steps to shore up its data security.

"Unfortunately, too many companies factor in the need for absolute evidence and the lowest possible cost for protection," says Ted Crooks, VP of global fraud solutions at Fair Isaac Corp., which provides customer-data-analytics services, including credit rating. "This event was scary, but I wasn't bowled over with surprise, and it could have been avoided."

Details on the CardSystems attack are still sketchy, but experts around the industry say that it's likely someone lay in wait for a long time before striking. The attackers also knew details about CardSystems' business processes and apparently struck at just the right card-processing time. Once the data was grabbed, even automated tools might not have caught the outgoing information.

"Traditional security is good at building walls, but that's hard for any company to live up to," says Eric Ogren, VP of marketing at Tizor Inc., a security software vendor. "Companies should try and look at all suspicious activity, like time of day, large amounts of data, or some unusual originating place." He says the attackers could use encrypted reverse tunnels to move the information out, and there's currently no way to view that. "That's how the attacks happen 95% of the time," he says.

It's much harder to track hackers when they go into reconnaissance mode, after they've taken over the system of a remote user, another security vendor executive says. "Users aren't protected by the castle wall, and it's increasingly hard to keep bad people out because we're communicating with so many other companies and partners," says Jonathan Bingham, president at Intrusic Inc., which develops software for detecting and investigating IT-system intrusions. Some of these incidents might not have come to light were it not for a California law that requires consumers to be notified when their personal data is compromised, he says. "Kudos to California for pushing this problem out into the open, because it's happened to other companies who just don't report it."

Crooks at Fair Isaac said this incident should be evaluated separately from other recent highly publicized cases of lost data, such as last month's incident in which backup tapes containing information on 3.9 million Citigroup customers was lost in transit. "Losing tapes is like money falling out of your pocket," he says. "This event was like getting mugged. It's a crime."