Since 2006, over 70 retailers and payment processors have disclosed breaches that involved tens of millions of credit and debit card numbers, this according to the Privacy Rights Clearinghouse.
As more and more small businesses comply with PCI DSS and are considering their systems' resilience to attack, being hacked by a bad guy is still –as it should be -- of utmost concern in the eyes of most business owners.
But what if your security expert is the one that puts you at risk? Would you know?
A business person runs a business. Regulations like PCI DSS and other security laws are increasingly making business owners responsible for ensuring the integrity of their computer systems and credit card data. While simple processes such as where to store paper credit card data or ensuring systems are locked in an appropriate facility within the business are fairly routine processes for a business owner to address, ensuring that computer systems are not only PCI-compliant but resilient to a hack goes beyond most business owners’ expertise.
Most often a business will engage a 'security expert.' If a new system is required and deployed that could offer ‘improved’ security, most businesses rely on their POS (Point of Sale) vendor to set up a system in a secure manner – an arguably reasonable expectation.
Not so fast. Our forensics team was recently called in to perform an investigation for a small business owner in the Southeastern US that was hacked. In reviewing the log files and performing our investigation we uncovered a very disturbing fact -- the third party vendor had left behind information on the system that detailed several other businesses in the region that were also under contract to that same vendor including passwords and computer configuration data.
It was, in this case, a POS vendor and not a security vendor that had performed the system’s security setup. Attackers then used this information to access the other businesses named in the documentation left behind by the vendor. In each instance it was found that the business was set-up uniformly and exactly as each of the other businesses were set up, thereby making them all insecure. Additionally, each business had been set up to utilize the exact same default passwords for each location, giving the attacker immediate administrative access to over 40 additional businesses.
There are reasons to be concerned about leaving your data security in someone else’s' hands. Your customers entrust your business to protect the information they share with you. Breaching that trust could mean less business and could be far more damaging than monetary consequences like paying a fine for a security breach or a noncompliance fee to Visa.
Picking your security vendor, and learning how your business can be more secure working with third party security or other vendor should be a critical decision for any business owner.
-Dave Ellis, Director, Forensic Investigations
