Hackers penetrated a large retailer's central database and stole at least 45 million credit card and debit card numbers along with 456,000 customers' personal information. Fraudulent charges approaching $100 million appeared around the world. The worst part? The company essentially rolled out the red carpet to the hackers by not installing industry-standard safeguards.
This article is excerpted and adapted from "Computer Fraud Casebook: The Bytes that Byte," edited by Joseph T. Wells, CFE, CPA, to be published in January, 2009 by John T. Wiley & Sons Inc.
According to nationwide news reports, hackers pointed a telescope-shaped antenna toward a U.S. retail store. A laptop computer helped decode data streaming through the air among handheld inventory management devices, cash registers, and store computers. From there, the hackers found their way into the company's central database at its headquarters more than 1,000 miles away. The hackers' entry point was an outdated wireless network connected to a computer system plagued with a host of data security shortfalls.
What followed was one of the biggest data-security breaches in history. At least 45 million credit card and debit card numbers were stolen, along with approximately 456,000 customers' driver's license, state, or military identification (personal ID) numbers with accompanying names and addresses. Many of the personal ID numbers were the same as the customers' Social Security numbers.
The hackers sold much of the stolen data on Web sites used to traffic stolen information. One cardholder's account experienced unauthorized transactions at a large discount store and at online vendors. Another account had $45,000 in fraudulent charges for gift cards. Fraudulent charges approaching $100 million surfaced throughout the United States and as far away as Mexico, Italy, Sweden, Thailand, China, Japan, and Australia.
At the heart of the data breach is RackCo, a major U.S. retailer. (All names have been changed in this article.) Parent company to a chain of several stores, there are collectively more than 2,000 retail locations throughout the United States. The business boasts $17 billion in annual sales worldwide.
At first blush, RackCo appears to be a helpless victim of a highly specialized gang of data thieves. But a closer look shows that, because of numerous violations of core data security standards, the company essentially invited the hackers in. As a result, the fraudsters methodically stole data from RackCo's computer system within a year and a half.
(I'm an attorney involved in litigation against RackCo. In light of my role in the litigation, this case study is limited, by necessity, to publicly available information. The data breach was high-profile, so there's much information in major national media. I don't attest to the accuracy of the information from which this article is drawn.)
REALITY CHECK
During the period when hackers were accessing RackCo's system, a routine audit at the company revealed many security problems such as outmoded encryption, missing firewalls, and software patches.
Three months later, another auditor noticed suspicious software on RackCo's network and anomalies in the company's credit card data. That prompted RackCo to conduct an internal investigation and hire two large forensic consulting firms to assist. Within three days, the investigation revealed that RackCo's computer system had suffered a massive intrusion by the hackers who continued to maintain access to the system, which suggested they could be caught in the act.
RackCo notified the Department of Justice, Secret Service, U.S. Attorney's Office, and later, the FBI, all of whom played active roles in the investigation.
SHODDY SECURITY
An investigation reportedly showed that the hackers were able to gain illicit access because RackCo's wireless network used a flawed and outdated encryption system called Wired Equivalent Privacy (WEP), a program highly susceptible to intruders.
The outdated technology reportedly provided less security for the company's wireless network than many people have on their home networks. After the hackers intercepted RackCo's wireless system and cracked the encryption code, they digitally eavesdropped on employees logging into RackCo's central database at its headquarters, which allowed them to steal usernames and passwords. This enabled them to enter RackCo's system remotely from any computer on the Internet. By using Web addresses of private individuals and public places, such as coffee houses, the hackers were able to hide their whereabouts.
The hackers set up their accounts in RackCo's system and saved credit and debit card data into about 100 large files for their access. They stole roughly 83 gigabytes of cardholder data, which was transferred from RackCo's system to an Internet site in California. (One gigabyte of data equals roughly 65,000 pages of Microsoft Word text. Therefore, the hackers stole the equivalent of 5.4 million pages of text.)
The hackers left traces such as altered computer files, suspicious software, and mixed-up data involving timestamps in the wrong order. They also left encrypted messages to each other on RackCo's system to communicate those files that had already been copied and to avoid duplicating work.
RackCo had encrypted some of the stolen data. However, the hackers had access to the decryption tool for the encryption software. They stole credit and debit card data that RackCo routinely stored on its system for lengthy periods of time - long-term storage violated credit card industry rules.
The fraudsters also lifted credit and debit card information as customers waited in line for their transactions to be processed and approved by their card-issuing banks. To do this, they installed a traffic capture program called a "sniffer" on RackCo's network, which captured cardholder data as it was transmitted during the purchase process in an unencrypted format.
Investigators believe the hackers' style of operation had the hallmarks of Romanian hackers and Russian organized crime groups. These gangs are known for scoping out the least secure targets and methodically intruding, in contrast to other types of hackers who often enter and exit quickly and clumsily and leave a telltale trail.
CARD-CARRYING CROOKS
The hackers stole at least 45 million credit and debit card numbers with accompanying expiration dates. The exact number of affected cards couldn't be pinpointed because, before RackCo discovered the intrusion, it had deleted much of the illicitly accessed information in the normal course of business. The hackers also used deletion technology, which made it virtually impossible to determine the contents of much of the data. Nearly 100 million credit and debit card transactions occurred during the at-risk period.
The stolen information included full "Track 2" data obtained from the cards' magnetic stripes. This includes such sensitive information as a card's 16-digit account number, expiration date, and other discretionary information that banks might include such as issuance date and country code. Fortunately, it does not contain a cardholder's name and address.
A number of the credit and debit card numbers were expired at the time of the theft, but that didn't eliminate the risk; expired cards are often renewed with the same card number. Identity thieves use guesswork and the process of elimination to determine the new expiration dates.
Electronic footprints showed that the hackers broke in during peak sales periods to capture large quantities of data.
FACING LEGAL ACTION
Roughly one month after the breach was detected, RackCo notified its customers and the general public about the intrusion. In a press release, RackCo stated that the company had identified certain customer information stolen from its system, but that the full extent of the theft was unknown. The intrusion involved data from credit card, debit card, check, and merchandise return transactions in the United States, Canada, and possibly the United Kingdom, and Ireland. RackCo provided lists of credit card numbers affected by the breach to credit card companies, which then notified card-issuing banks, which notified customers.
The announcement triggered intense media coverage in the United States and abroad. RackCo quickly fell under heavy criticism, mostly for failing to protect customers' data but also for waiting until after the busy holiday shopping season - mid-January of 2007 - to disclose the breach when it had detected the fraud in mid-December.
Soon after RackCo's announcement, class action lawsuits were filed against the company on behalf of two groups of plaintiffs. The first group included customers whose personal data was stolen. The second group included card-issuing banks that incurred costs to issue replacement cards, reimburse fraudulent charges on customers' accounts, and monitor accounts for fraud.
The Federal Trade Commission (FTC), attorneys general from several states, and Canadian regulators also investigated RackCo for possible violations of consumer protection laws.
Thus far, RackCo has reserved $250 million to perform the internal investigation, upgrade its computer system, respond to government investigations, defend itself in litigation, and pay settlement-related costs.
ELUSIVE HACKERS
Despite intense investigations by the U.S. Secret Service, FBI and others, the main hackers still haven't been caught almost two years after the fraud was discovered. But several downstream users of the stolen credit and debit card numbers have been arrested.
Investigators believe the hackers operated in organized rings that sold stolen information on the Internet. They likely sought out middlemen to buy large quantities of the pilfered data, who in turn re-sold the data to others in smaller, more customized batches. The credit card information was probably packaged based on credit limits, expiration dates, issuer bank, and other factors.
A 24-year-old Ukrainian man was arrested in Turkey for pushing some of the card numbers. He allegedly obtained the data from the RackCo hackers through online forums and anonymous Web sites commonly used to traffic stolen information. He then sold the data to end-users using similar Web sites. The prices he charged for the cards ranged from $20 to $100 each. He sold the card numbers in batches of up to 10,000.
Months before the Ukrainian man's arrest, a group of end-users in Florida were caught using certain card numbers stolen from RackCo. Some of the card numbers they held were purchased from the Ukrainian man. Their method of operation was to transfer the data onto blank credit cards made to look like real credit cards using printing and encoding equipment which is relatively easy to legitimately obtain. Then, in a modern-day version of money laundering, they used the fake cards to buy gift cards as high as $400 at various big-box stores throughout Florida. The gift cards enabled them to purchase store merchandise such as jewelry and electronics. In some cases, the crooks later returned the merchandise for cash.
Initially, their plan was quite successful and resulted in roughly $8 million in fraudulent charges. But the group was caught when attentive retail employees became suspicious of the high volume of gift card activity. One staff member wrote down the license plate number of a car driven away by three members of the group, which investigators were able to trace to one of the fraudsters. Employees also retrieved video images of two of the men from store cameras, both positively matched to driver's license photos and photos in a database of store club members. In all, eight people in the ring were arrested. Several of them have plead guilty to fraud-related charges. Their leader was sentenced to five years in prison.
THE INCOMPETENCE WITHIN
An investigation at RackCo reportedly revealed the following:
- RackCo failed to comply with parts of nine of the 12 Payment Card Industry (PCI) Data Security Standards, which are core security measures required in the credit card industry.
- The company used deficient and outdated wireless technology, like WEP wireless, rather than the more secure type, Wi-Fi Protected Access (WPA).
- RackCo improperly configured its wireless network.
- RackCo improperly stored and retained cardholder data, against regulations. Merchants have been forbidden from storing Track 2 data for over a decade because, if stolen, it's relatively simple to create a counterfeit card.
- RackCo didn't segregate from the rest of its network the devices it used to store, process, and transmit cardholder information.
- User names and passwords that RackCo employees used weren't secure; in some instances, passwords matched user names.
- Intrusion detection processes were improper.
- Firewall protection was flawed.
- Software patches were inadequate.
- Computer access and activity logs weren't properly maintained and reviewed.
- Anti-virus protection was not up-to-date.
Notably, RackCo knew about its problems for years but failed to address them. More than two years before the data breach was detected, the company reportedly received a report outlining its noncompliance with several data security standards. Some of the shortfalls were major security risks, but the company still didn't take precautions.
The decision to forgo suggested improvements to RackCo's wireless technology was made at the company's highest ranks. More than a year before detecting the breach, RackCo's chief information officer sent an e-mail to IT staff acknowledging that "WPA is clearly best practice." Nevertheless, the CIO said, "I think we have an opportunity to defer some spending from [next year's] budget by removing the money for the WPA upgrade."
Shortly thereafter, another RackCo employee circulated an e-mail stating that "the absence of rotating keys in WEP means that we truly are not in compliance with the requirements of PCI. This becomes an issue if this fact becomes known and potentially exacerbates any findings should a breach be revealed."
Despite the known security risk, RackCo refused to upgrade from WEP to WPA. The decision proved devastating.
THE CANADIAN REGULATORS' INVESTIGATION
Canadian regulators investigated the data breach at RackCo for eight months. They published a report of their findings and recommendations.
Regulators found that, at the time of the initial breach, RackCo used outdated WEP wireless encryption technology in its retail stores. At least two years before, computer security experts began widely criticizing WEP as an insecure wireless technology. In fact, the organization that originally developed WEP technology recommended it be upgraded to WPA. Several months after the initial breach - before it was discovered - RackCo finally decided to upgrade to WPA wireless technology. However, the upgrade took two years to complete, while the hackers continued to access RackCo's system.
At the investigation's conclusion, regulators deemed the recording and storage of customers' driver's license, state, and military identification numbers as excessive and unnecessary. Alternatively, RackCo should have used less sensitive identifiers such as perhaps telephone numbers.
LESSONS LEARNED
The significance of complying with industry security guidelines - PCI standards - can't be understated. Many retailers don't adhere. However, RackCo pushed the line, failing to comply with parts of nine of the 12 PCI standards. That 75 percent non-compliance rate is much higher than the average retailer.
RackCo knew of its noncompliance long before the data breach was discovered. If the company had been more aggressive, it might have avoided one of the largest data breaches in history.
Businesses should be mindful when weighing the cost versus benefit of upgrading data security. As a starting point, decision makers should consider the likelihood of a data breach, its data sensitivity and quantity, and the possible consequences of a breach. In this instance, the probability of a breach was high due to the number of violated PCI standards. RackCo's security shortcomings occurred continuously for several years, which increased the window of opportunity for an intrusion. The quantity of stored data was massive because RackCo had a high volume of credit card sales and stored much of its customers' data for lengthy time periods. RackCo suffered investigation and litigation expenses and loss of customer goodwill.
Decision makers at RackCo should have weighed these concerns against the financial costs to upgrade data security. RackCo's CIO expressed budgetary concerns over upgrading security; however, the costs were negligible in light of RackCo's strong financial position. The company's net income exceeded $500 million - a half a billion dollars - in each of the five years before the breach was discovered. Furthermore, the company's assets far exceeded its liabilities in each of those years. Money wasn't an issue. A more careful cost-benefit analysis might have led to the decision to improve data security.
Another lesson learned is that hacking and lax data security cast a wide net. Victims included RackCo, its customers, card-issuing banks, and credit card associations among others. RackCo suffered financial harm and damage to its reputation. The company reserved $250 million to fund its internal investigation, computer system upgrades, response to government investigations, litigation, and settlement-related costs. Also, its reputation suffered as customers understandably became wary about shopping there.
RackCo's customers spent considerable time and money dealing with the breach. They were forced to closely monitor their credit card accounts and credit reports for fraud. They also spent time disputing fraudulent charges, canceling compromised credit cards, and switching electronic-payment links such as utility bills and other monthly services from old card numbers to new ones. Customers suffered out-of-pocket damages for things like fraudulent charges on their accounts (to the extent not reversed by banks), credit monitoring services, identity theft insurance, costs to open new checking accounts, fees to reorder checks, etc. Moreover, emotional harm such as stress, anxiety, and the continuing fear of identity theft affected customers. This is especially true for those whose personal ID information, which sometimes contained their Social Security number, was stolen.
Other victims included the banks that issued credit and debit cards to RackCo's affected customers. Those banks incurred costs to reimburse fraudulent charges on cardholders' accounts (federal regulations generally limit cardholders' liability to $50 for unauthorized purchases - banks are forced to reimburse the cost of the fraudulent charges); replace compromised cards, which generally costs $5 to $20 per card; and monitor cardholders' accounts for fraud.
RECOMMENDATIONS TO PREVENT FUTURE OCCURRENCES
- Comply with Industry Regulations
- Complying with industry regulations is often easier said than done in light of inevitable budget concerns, limited personnel resources, and a host of other obstacles. However, at a minimum, companies should objectively assess their greatest security risks to identify and prioritize key areas for improvement.
- Periodically Examine the Data Security Environment
- Companies should consider a policy of periodically examining their data security environment. Perhaps an annual or semi-annual examination could be set with reviews scheduled at times of the year when operational and personnel resources are at their peak. Alternatively, a rotating schedule might work best where different substantive or geographical areas of security are examined on a rotating basis. At the very least, some type of periodic review system should be implemented because computer hardware and software can become obsolete quickly.
- Limit Data Collection and Storage
- Companies should limit data collection and storage to the minimum information required for business purposes. For example, is a Social Security number or driver's license number necessary? Would a phone number be a safer and equally effective alternative? Is a complete date of birth necessary, or would a birth year and month be sufficient? Sensitive identifiers and other information should be abandoned in favor of less risky ones.
TAKE DATA SECURITY SERIOUSLY
In a nutshell, businesses should take data security seriously. Granted, the best hackers in the world can probably find a way to penetrate even the strongest data security environments, but that doesn't mean businesses should treat data security as a low priority. Here, perhaps a PCI-compliant system would have blocked their access to RackCo's data or at least convinced them to move on to a more vulnerable target.
Jon J. Lambiras, J.D., CFE, CPA, FCLA, is an attorney in consumer and securities litigation at Berger & Montague PC in Philadelphia, Pa.
The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.
