Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How We Did It: The Case of the Credit Card Breach


Published on

For more information, please visit

Published in: Technology, Business
  • Be the first to like this

How We Did It: The Case of the Credit Card Breach

  1. 1. How We Did The Investigations “ The Case of the Credit Card Breach” Brought to you by and
  2. 2. We’re Getting A Lot of Questions … <ul><li>Hi Everybody, </li></ul><ul><ul><li>We’re the brains behind the scenes and wanted to answer your questions about “how we solved the credit card breach so fast.” </li></ul></ul><ul><ul><li>This little write-up will give you an idea of our client’s architecture and some details of the BI and security screens. </li></ul></ul><ul><ul><li>Take a look, and if you still have questions, shoot them to us! </li></ul></ul><ul><li> Yours truly, </li></ul><ul><li>Neuman Hitchcock and Lola Douglas </li></ul>BSI Level 3 LOLA DOUGLAS
  3. 3. We’ve Got a Problem! <ul><li>The case started when department store Taylor & Swift’s (T&S) clearing bank, Grassroots, started getting calls after the monthly bills went out about fraudulent credit card charges. Grassroots noticed that the calls were coming from T&S white label credit card holders. Grassroots CEO called the T&S CEO, who handed the problem to the T&S CSO – Chief Security Officer, Bob Shield </li></ul><ul><li>The bank provided the list of customer complaints to Taylor & Swift </li></ul>Bob Shield, CSO Leslie Oakwood Taylor & Swift CEO John Howard CEO, Grassroots Bank
  4. 4. Chief Security Officer Bob Shield Hires 2 BSI Investigators to Help <ul><li>Frazier McDonald </li></ul><ul><ul><li>Overall Systems Architecture </li></ul></ul><ul><ul><li>Vulnerability Analysis </li></ul></ul><ul><ul><li>Fast worker, good hunches </li></ul></ul><ul><li>Lola Douglas </li></ul><ul><ul><li>Security Expert </li></ul></ul><ul><ul><li>Numerous past security cases </li></ul></ul><ul><ul><li>Ex-FBI, high-energy </li></ul></ul><ul><li>For more information about </li></ul><ul><li>all Cast members, see BSI </li></ul><ul><li>Facebook / Photos </li></ul>BSI Level 3 LOLA DOUGLAS BSI Teradata Level 3 FRAZIER McDONALD
  5. 5. Taylor & Swift PCI DSS Security Audit Taylor & Swift passed an external PCI DSS audit that showed their systems to be compliant with the PCI DSS industry standard for protecting credit cards. Bob Shields gave a copy of the report to both Frazier and Lola to study
  6. 6. Taylor & Swift System Architecture (From PCI Audit) Lola notes that this is a common retail system architecture where credit card transactions collected at stores or the web flow through data centers to an EDW and ultimately to Back Up.
  7. 7. T&S’s Front-End (Store and Web, Data Center) Data Flow Processes and System Architecture T&S mini-batch loads POS data every hour to the data centers. Web transactions drop immediately into the data centers. The multiple data centers offer high availability as well as disaster recovery, in addition to workload balancing.
  8. 8. Taylor and Swift Back-Office Data Flows Data centers are used for inventory and ERP financial applications. Data flows at 1 hour intervals into Teradata for marketing and merchandising purposes.
  9. 9. Taylor & Swift Teradata Active Data Warehouse <ul><li>This company has </li></ul><ul><li>22.8M customers, of whom 38% have Taylor & Swift Credit Cards. Average Market Basket per trip is $65.34. Average shopper comes in 8.7 times per year. High loyalty scores. </li></ul><ul><li>Teradata </li></ul><ul><li>22 TB Active Data Warehouse at the fingertips </li></ul><ul><ul><li>2-node dev/test system, 5550s </li></ul></ul><ul><ul><li>6-node ADW system, with 2-node backup, 5 yrs of data </li></ul></ul><ul><ul><li>Teradata Retail Industry Logical Data Model - contains integrated enterprise data, including product purchases, customer, credit card data, billing, contact center, orders, web browsing and buying, call records, etc. </li></ul></ul><ul><ul><li>Right-time active data feeds from order entry, contact center, and web systems (< 2 hour latencies) </li></ul></ul><ul><li>For more info about Teradata, go to </li></ul>
  10. 10. <ul><li>Protegrity Data Security Policy: </li></ul><ul><li>What is the sensitive data that needs to be protected? </li></ul><ul><ul><li>PROTEGRITY: T&S needs to protect the sensitive credit card information as it flows throughout the enterprise from acquisition to deletion. </li></ul></ul><ul><li>Who should have access to sensitive data and who should not? </li></ul><ul><ul><li>PROTEGRITY: The security officer can set the policy. At T&S only two Security Directors have access to the information at all times. Others have limited access as defined in the policy. </li></ul></ul><ul><li>How do you want to protect sensitive data? </li></ul><ul><ul><li>PROTEGRITY: T&S protects the information wherever the sensitive data flows with strong encryption from the Protegrity Data Security Platform. </li></ul></ul><ul><li>Where should sensitive data access be granted to those who have access? </li></ul><ul><ul><li>PROTEGRITY: Access to sensitive data is set in the policy. Although people may have access to the data, it is not in the clear at rest or in transit. </li></ul></ul><ul><li>Where is the sensitive data stored? </li></ul><ul><ul><li>PROTEGRITY: The sensitive data originates at the store or from the web. Credit card transactions flow to the data centers for operational processing and data analysis and then to the archive. The sensitive data is protected at rest and in transit by Protegrity. </li></ul></ul>Policy Foundational Questions/Answers: Protecting Sensitive Data
  11. 11. Protecting the Enterprise Data Flow The typical retail merchant data flow is depicted in this diagram. Protegrity protects the sensitive data – credit cards in this case – from creation to archive. POS e-Commerce Branch <ul><li>Collection </li></ul><ul><li>Application Protection </li></ul><ul><ul><li>Protect data from collection to aggregation </li></ul></ul><ul><li>Aggregation </li></ul><ul><li>Database and Application Protection </li></ul><ul><ul><li>Change Security Zone, protect data at aggregation, distribute to different operational sys. on different zones </li></ul></ul><ul><li>Operations </li></ul><ul><li>Database, File and Application Protection </li></ul><ul><ul><li>Protect data in different security zones, and in different business applications and technologies </li></ul></ul><ul><li>Analysis </li></ul><ul><li>Database Protection </li></ul><ul><ul><li>High performance column level protection is required for these large analytical systems </li></ul></ul><ul><li>Storage </li></ul><ul><li>Database and File Protection </li></ul><ul><ul><li>Archive protected systems with the ability to restore </li></ul></ul>ESA Key Management
  12. 12. Lola Investigated the Front-End Systems Lola worked with the Store and Web IT Groups. The system had a full PCI audit review and approval. This led the team to investigate the Front-End Systems. All systems came out clean with no intrusions and the data is protected from the swipe through the point where the transaction data moves to the data centers.
  13. 13. Frazier Investigated the Back-End Systems Frazier worked with the back-end team to investigate how credit cards are handled in the back-end processing at the data centers. The back-end system also had a full PCI audit review and approval. The back-end systems came out clean with no intrusions and the data is protected inside the back-end systems.
  14. 14. Frazier Checked the Role - and Time-Based Security Access Controls That Were Set Up In the case of the Credit Card Field, Protegrity’s tool defined 2 roles – one with High clearance, and one with Low, with access permission to the data only for High clearance only during daytime working hours. Frazier found that the Protegrity policy controls that were initially set up were not changed – no security hole there.
  15. 15. Frazier Ran A Protegrity Detailed Report on the Card Number Column – Decrease was the Clue! Frazier dug into the Protegrity reports on key data elements. In this case, the Production Credit Card Number – and found a suspicious dip in the number of daily touches.
  16. 16. Frazier Inspected Credit Card Column Access Frazier drilled down on each of the repositories and found that the touches of the Credit Card data in the SQL Servers dropped to 0
  17. 17. Core Problem: IT Swapped Out Protected Operational Data Stores at the Data Center, Forgot to Protect Lola and Frazier had a call with the Data Center IT Manager and found out that the staging databases had been changed - from SQL Server databases to another 3 rd party database. No PCI audit was done after the switch and the new databases had not been protected.
  18. 18. Audit Logs in SQL Servers in the Data Centers Show Suspicious Activity by a DBA Lola went back to the Log activity on the unprotected system and found some unusual SELECT * activities on Orders and Customers. The queries were executed by a DBA at the Las Vegas Data Center by the name of Joe Nagle.
  19. 19. Records from DBA Query Matched the List Pull Against the Complaining Customers Frazier ran a query to JOIN the 500 records with the complaints with the credit card transactions. All customers who were breached had shown the fraudulent activity in the unprotected database. They all matched!
  20. 20. The Culprit: Joe Nagel, DBA Lola worked with the data center IT people to pull the security tapes to make sure Joe was working that day … here he is exiting the facility in the early morning hours. Bob then confiscated his PC and found customer credit card information on his laptop. NABBED!
  21. 21. Resolution: Customer and Technical <ul><li>Customer Actions </li></ul><ul><li>1. Immediate Telephone Calls: </li></ul><ul><li>To those who already complained </li></ul><ul><li>To those who may have issues </li></ul><ul><li>2. Letters sent out containing: </li></ul><ul><li>New Credit Cards, replacing old </li></ul><ul><li>Profuse Apologies and Free Coupons </li></ul><ul><li>3. Follow-up phone calls </li></ul><ul><li>Technical Action Plan </li></ul><ul><li>Install Protegrity to protect the Data Center </li></ul><ul><li>Call in Auditors to redo the PCI Audit </li></ul>Taylor & Swift Gold Leslie worked with the head of Marketing Communications to get an alert out Bob worked to fix the technical holes
  22. 22. Summary The Case of the Credit Card Breach Taylor & Swift experienced a major credit card breach, detected only when customers began complaining <ul><li>BSI explored 2 hypotheses: </li></ul><ul><li>External breach (hackers) </li></ul><ul><li>Internal breach (insiders) </li></ul>Drilling into the details exposed the real problem: Disgruntled employee Joe Nagel exploited the lack of protection on the Operational Data Stores at the Data Center to gain unauthorized access and sell data on the black market. CASE CLOSED
  23. 23. Learn More <ul><li>Is your company protected? </li></ul><ul><li>For more information about the </li></ul><ul><ul><ul><li>Active Enterprise Data Warehouse </li></ul></ul></ul><ul><ul><ul><li>Communications Industry Logical Data Model </li></ul></ul></ul><ul><ul><ul><li>Industry Analytic Solutions </li></ul></ul></ul><ul><li>With Protegrity, you can protect your data and your business. </li></ul><ul><ul><li>Protegrity provides Data Security Management Solutions that enable you to protect sensitive data. Sensitive data can be protected with encryption or tokenization techniques. Corporate Security Officers can control access to sensitive data through the data security policy. </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><li>Contact us to get started: </li></ul><ul><ul><ul><li>[email_address]   </li></ul></ul></ul><ul><ul><ul><li>[email_address] </li></ul></ul></ul>