How We Did It: The Case of the Credit Card Breach


Published on

For more information, please visit

Published in: Technology, Business
1 Comment
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Much of the power in the Protegrity solution comes from way security policies capture all of the details on data protection within an organization. By bringing all of this information together in one place, the environment becomes quite simple to manage, with all of the requisite transparency security regulations require. We’ll see how each of these things are handled by DPS.
  • Key Talking Points: Opportunity to discuss the complexities and importance of protecting data throughout the enterprise – from acquisition to archive or deletion. This slide builds on the previous graphic which introduced Protegrity’s ‘comprehensive’ Solutions and prepares for the next slide which discusses the different data protection options provided by Protegrity. [1] Collection Begin to paint the ‘real-life’ picture about data being collected from multiple access points (Web, POS, remote locations, applications, etc.). Point out that the data being collected may also have already been encrypted using different ‘keys’ from different systems. Explain that Protegrity provides an API to help bring that diverse information together for aggregation. [2] Aggregation Continue painting the data flow process by explaining the need to protect and ‘normalize’ the data coming from multiple ‘key zones’ into one protected ‘key zone’ that prepares the data to advance to the necessary operational systems for use within the organization. These operational systems may also have their own separate ‘zone’ requirements. Explain that Protegrity can provide both database and application protection at this stage of the data flow process within the organization. Key management becomes increasingly important. [3] Operations Continue defining the data flow process by highlighting the complexity of managing the data and associated data security keys at the operational level, which may contain many different applications, databases and technologies that rely on independent data protection. Explain that Protegrity can provide ‘homogeneous’ data protection across those operational environments by leveraging database, file and application level protection, depending on their requirements and technology landscape. [4] Analysis Continue the data flow discussion by introducing the data flowing into the data warehouse. Mention the need to be able to protect the sensitive data at the column level, due to the potential volumes of data that might exist within these large data warehouses. Also mention the additional need for high performance and scalability, due to the business analysis that is derived from the DW. Explain that Protegrity provides database protection for some of the largest data warehouses, across most industries. This is a great time to introduce our Teradata relationship and the value proposition Protegrity brings to the TD EDW. [5]Storage Complete the ‘from acquisition to archive or deletion’ data flow by highlighting the need to eventually off-load and store the large volumes of historical collected data, outside of the data warehouse for efficiency purposes -- but in a protected environment. (You might mentions some wars stories about tapes falling off the back of a truck, at this point). Explain that Protegrity can provide a secure archived environment, by protecting data that has been encrypted throughout the organization and storing it in their preferred back-up devices using Protegrity’s database and file protection capabilities. Most importantly, the data in these archived systems can be restored if and when necessary . Finally, reintroduce the importance of having a centralized and comprehensive key management system to manage the encryption and decryption process at each stage of the enterprise data flow. Additionally, it is a great time to re-introduce the concept of Risk Adjusted Data Security and the need for having multiple methods to secure the data across each stage. It also will bridge to the next slide.
  • How We Did It: The Case of the Credit Card Breach

    1. 1. How We Did The Investigations “ The Case of the Credit Card Breach” Brought to you by and
    2. 2. We’re Getting A Lot of Questions … <ul><li>Hi Everybody, </li></ul><ul><ul><li>We’re the brains behind the scenes and wanted to answer your questions about “how we solved the credit card breach so fast.” </li></ul></ul><ul><ul><li>This little write-up will give you an idea of our client’s architecture and some details of the BI and security screens. </li></ul></ul><ul><ul><li>Take a look, and if you still have questions, shoot them to us! </li></ul></ul><ul><li> Yours truly, </li></ul><ul><li>Neuman Hitchcock and Lola Douglas </li></ul>BSI Level 3 LOLA DOUGLAS
    3. 3. We’ve Got a Problem! <ul><li>The case started when department store Taylor & Swift’s (T&S) clearing bank, Grassroots, started getting calls after the monthly bills went out about fraudulent credit card charges. Grassroots noticed that the calls were coming from T&S white label credit card holders. Grassroots CEO called the T&S CEO, who handed the problem to the T&S CSO – Chief Security Officer, Bob Shield </li></ul><ul><li>The bank provided the list of customer complaints to Taylor & Swift </li></ul>Bob Shield, CSO Leslie Oakwood Taylor & Swift CEO John Howard CEO, Grassroots Bank
    4. 4. Chief Security Officer Bob Shield Hires 2 BSI Investigators to Help <ul><li>Frazier McDonald </li></ul><ul><ul><li>Overall Systems Architecture </li></ul></ul><ul><ul><li>Vulnerability Analysis </li></ul></ul><ul><ul><li>Fast worker, good hunches </li></ul></ul><ul><li>Lola Douglas </li></ul><ul><ul><li>Security Expert </li></ul></ul><ul><ul><li>Numerous past security cases </li></ul></ul><ul><ul><li>Ex-FBI, high-energy </li></ul></ul><ul><li>For more information about </li></ul><ul><li>all Cast members, see BSI </li></ul><ul><li>Facebook / Photos </li></ul>BSI Level 3 LOLA DOUGLAS BSI Teradata Level 3 FRAZIER McDONALD
    5. 5. Taylor & Swift PCI DSS Security Audit Taylor & Swift passed an external PCI DSS audit that showed their systems to be compliant with the PCI DSS industry standard for protecting credit cards. Bob Shields gave a copy of the report to both Frazier and Lola to study
    6. 6. Taylor & Swift System Architecture (From PCI Audit) Lola notes that this is a common retail system architecture where credit card transactions collected at stores or the web flow through data centers to an EDW and ultimately to Back Up.
    7. 7. T&S’s Front-End (Store and Web, Data Center) Data Flow Processes and System Architecture T&S mini-batch loads POS data every hour to the data centers. Web transactions drop immediately into the data centers. The multiple data centers offer high availability as well as disaster recovery, in addition to workload balancing.
    8. 8. Taylor and Swift Back-Office Data Flows Data centers are used for inventory and ERP financial applications. Data flows at 1 hour intervals into Teradata for marketing and merchandising purposes.
    9. 9. Taylor & Swift Teradata Active Data Warehouse <ul><li>This company has </li></ul><ul><li>22.8M customers, of whom 38% have Taylor & Swift Credit Cards. Average Market Basket per trip is $65.34. Average shopper comes in 8.7 times per year. High loyalty scores. </li></ul><ul><li>Teradata </li></ul><ul><li>22 TB Active Data Warehouse at the fingertips </li></ul><ul><ul><li>2-node dev/test system, 5550s </li></ul></ul><ul><ul><li>6-node ADW system, with 2-node backup, 5 yrs of data </li></ul></ul><ul><ul><li>Teradata Retail Industry Logical Data Model - contains integrated enterprise data, including product purchases, customer, credit card data, billing, contact center, orders, web browsing and buying, call records, etc. </li></ul></ul><ul><ul><li>Right-time active data feeds from order entry, contact center, and web systems (< 2 hour latencies) </li></ul></ul><ul><li>For more info about Teradata, go to </li></ul>
    10. 10. <ul><li>Protegrity Data Security Policy: </li></ul><ul><li>What is the sensitive data that needs to be protected? </li></ul><ul><ul><li>PROTEGRITY: T&S needs to protect the sensitive credit card information as it flows throughout the enterprise from acquisition to deletion. </li></ul></ul><ul><li>Who should have access to sensitive data and who should not? </li></ul><ul><ul><li>PROTEGRITY: The security officer can set the policy. At T&S only two Security Directors have access to the information at all times. Others have limited access as defined in the policy. </li></ul></ul><ul><li>How do you want to protect sensitive data? </li></ul><ul><ul><li>PROTEGRITY: T&S protects the information wherever the sensitive data flows with strong encryption from the Protegrity Data Security Platform. </li></ul></ul><ul><li>Where should sensitive data access be granted to those who have access? </li></ul><ul><ul><li>PROTEGRITY: Access to sensitive data is set in the policy. Although people may have access to the data, it is not in the clear at rest or in transit. </li></ul></ul><ul><li>Where is the sensitive data stored? </li></ul><ul><ul><li>PROTEGRITY: The sensitive data originates at the store or from the web. Credit card transactions flow to the data centers for operational processing and data analysis and then to the archive. The sensitive data is protected at rest and in transit by Protegrity. </li></ul></ul>Policy Foundational Questions/Answers: Protecting Sensitive Data
    11. 11. Protecting the Enterprise Data Flow The typical retail merchant data flow is depicted in this diagram. Protegrity protects the sensitive data – credit cards in this case – from creation to archive. POS e-Commerce Branch <ul><li>Collection </li></ul><ul><li>Application Protection </li></ul><ul><ul><li>Protect data from collection to aggregation </li></ul></ul><ul><li>Aggregation </li></ul><ul><li>Database and Application Protection </li></ul><ul><ul><li>Change Security Zone, protect data at aggregation, distribute to different operational sys. on different zones </li></ul></ul><ul><li>Operations </li></ul><ul><li>Database, File and Application Protection </li></ul><ul><ul><li>Protect data in different security zones, and in different business applications and technologies </li></ul></ul><ul><li>Analysis </li></ul><ul><li>Database Protection </li></ul><ul><ul><li>High performance column level protection is required for these large analytical systems </li></ul></ul><ul><li>Storage </li></ul><ul><li>Database and File Protection </li></ul><ul><ul><li>Archive protected systems with the ability to restore </li></ul></ul>ESA Key Management
    12. 12. Lola Investigated the Front-End Systems Lola worked with the Store and Web IT Groups. The system had a full PCI audit review and approval. This led the team to investigate the Front-End Systems. All systems came out clean with no intrusions and the data is protected from the swipe through the point where the transaction data moves to the data centers.
    13. 13. Frazier Investigated the Back-End Systems Frazier worked with the back-end team to investigate how credit cards are handled in the back-end processing at the data centers. The back-end system also had a full PCI audit review and approval. The back-end systems came out clean with no intrusions and the data is protected inside the back-end systems.
    14. 14. Frazier Checked the Role - and Time-Based Security Access Controls That Were Set Up In the case of the Credit Card Field, Protegrity’s tool defined 2 roles – one with High clearance, and one with Low, with access permission to the data only for High clearance only during daytime working hours. Frazier found that the Protegrity policy controls that were initially set up were not changed – no security hole there.
    15. 15. Frazier Ran A Protegrity Detailed Report on the Card Number Column – Decrease was the Clue! Frazier dug into the Protegrity reports on key data elements. In this case, the Production Credit Card Number – and found a suspicious dip in the number of daily touches.
    16. 16. Frazier Inspected Credit Card Column Access Frazier drilled down on each of the repositories and found that the touches of the Credit Card data in the SQL Servers dropped to 0
    17. 17. Core Problem: IT Swapped Out Protected Operational Data Stores at the Data Center, Forgot to Protect Lola and Frazier had a call with the Data Center IT Manager and found out that the staging databases had been changed - from SQL Server databases to another 3 rd party database. No PCI audit was done after the switch and the new databases had not been protected.
    18. 18. Audit Logs in SQL Servers in the Data Centers Show Suspicious Activity by a DBA Lola went back to the Log activity on the unprotected system and found some unusual SELECT * activities on Orders and Customers. The queries were executed by a DBA at the Las Vegas Data Center by the name of Joe Nagle.
    19. 19. Records from DBA Query Matched the List Pull Against the Complaining Customers Frazier ran a query to JOIN the 500 records with the complaints with the credit card transactions. All customers who were breached had shown the fraudulent activity in the unprotected database. They all matched!
    20. 20. The Culprit: Joe Nagel, DBA Lola worked with the data center IT people to pull the security tapes to make sure Joe was working that day … here he is exiting the facility in the early morning hours. Bob then confiscated his PC and found customer credit card information on his laptop. NABBED!
    21. 21. Resolution: Customer and Technical <ul><li>Customer Actions </li></ul><ul><li>1. Immediate Telephone Calls: </li></ul><ul><li>To those who already complained </li></ul><ul><li>To those who may have issues </li></ul><ul><li>2. Letters sent out containing: </li></ul><ul><li>New Credit Cards, replacing old </li></ul><ul><li>Profuse Apologies and Free Coupons </li></ul><ul><li>3. Follow-up phone calls </li></ul><ul><li>Technical Action Plan </li></ul><ul><li>Install Protegrity to protect the Data Center </li></ul><ul><li>Call in Auditors to redo the PCI Audit </li></ul>Taylor & Swift Gold Leslie worked with the head of Marketing Communications to get an alert out Bob worked to fix the technical holes
    22. 22. Summary The Case of the Credit Card Breach Taylor & Swift experienced a major credit card breach, detected only when customers began complaining <ul><li>BSI explored 2 hypotheses: </li></ul><ul><li>External breach (hackers) </li></ul><ul><li>Internal breach (insiders) </li></ul>Drilling into the details exposed the real problem: Disgruntled employee Joe Nagel exploited the lack of protection on the Operational Data Stores at the Data Center to gain unauthorized access and sell data on the black market. CASE CLOSED
    23. 23. Learn More <ul><li>Is your company protected? </li></ul><ul><li>For more information about the </li></ul><ul><ul><ul><li>Active Enterprise Data Warehouse </li></ul></ul></ul><ul><ul><ul><li>Communications Industry Logical Data Model </li></ul></ul></ul><ul><ul><ul><li>Industry Analytic Solutions </li></ul></ul></ul><ul><li>With Protegrity, you can protect your data and your business. </li></ul><ul><ul><li>Protegrity provides Data Security Management Solutions that enable you to protect sensitive data. Sensitive data can be protected with encryption or tokenization techniques. Corporate Security Officers can control access to sensitive data through the data security policy. </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><li>Contact us to get started: </li></ul><ul><ul><ul><li>[email_address]   </li></ul></ul></ul><ul><ul><ul><li>[email_address] </li></ul></ul></ul>