how we did it: the case of the credit card breach
TRANSCRIPT
How We Did The
Investigations
“The Case of the Credit Card Breach”
Brought to you by
and
© Teradata 2011< 2 >
We’re Getting A Lot of Questions …
Hi Everybody,
We’re the brains behind the scenes and wanted to answer your questions about “how we solved the credit card breach so fast.”
This little write-up will give you an idea of our client’s architecture and some details of the BI and security screens.
Take a look, and if you still have questions, shoot them to us!
Yours truly,
Neuman Hitchcock and Lola Douglas
BSI
Level 3
LOLA DOUGLAS
© Teradata 2011< 3 >
We’ve Got a Problem!
• The case started when department store Taylor & Swift’s (T&S) clearing bank, Grassroots, started getting calls after the monthly bills went out about fraudulent credit card charges. Grassroots noticed that the calls were coming from T&S white label credit card holders. Grassroots CEO called the T&S CEO, who handed the problem to the T&S CSO – Chief Security Officer, Bob Shield
• The bank provided the list of customer complaints to Taylor & Swift
Bob Shield, CSO
Leslie OakwoodTaylor & Swift CEOJohn Howard
CEO, Grassroots Bank
© Teradata 2011< 4 >
Chief Security Officer Bob Shield Hires 2 BSI Investigators to Help
• Frazier McDonald > Overall Systems Architecture> Vulnerability Analysis> Fast worker, good hunches
• Lola Douglas> Security Expert> Numerous past security cases> Ex-FBI, high-energy
• For more information about all Cast members, see BSI Facebook / Photos
BSI
Level 3
LOLA DOUGLAS
BSI Teradata
Level 3
FRAZIERMcDONALD
© Teradata 2011< 5 >
Taylor & Swift PCI DSS Security Audit
Taylor & Swift passed an external PCI DSS audit that showed their systems to be compliant with the PCI DSS industry standard for protecting credit cards.
Bob Shields gave a copy of the report to both Frazier and Lola to study
© Teradata 2011< 6 >
Taylor & Swift System Architecture (From PCI Audit)
Lola notes that this is a common retail system architecture where credit card transactions collected at stores or the web flow through data centers to an EDW and ultimately to Back Up.
© Teradata 2011< 7 >
T&S’s Front-End (Store and Web, Data Center)Data Flow Processes and System Architecture
T&S mini-batch loads POS data every hour to the data centers. Web transactionsdrop immediately into the data centers. The multiple data centers offer high availability as well as disaster recovery, in addition to workload balancing.
© Teradata 2011< 8 >
Taylor and Swift Back-Office Data Flows
Data centers are used for inventory and ERP financial applications. Data flows at 1 hour intervals into Teradata for marketing and merchandising purposes.
© Teradata 2011< 9 >
Taylor & Swift Teradata Active Data Warehouse
This company has• 22.8M customers, of whom 38% have Taylor & Swift Credit
Cards. Average Market Basket per trip is $65.34. Average shopper comes in 8.7 times per year. High loyalty scores.
Teradata• 22 TB Active Data Warehouse at the fingertips
> 2-node dev/test system, 5550s> 6-node ADW system, with 2-node backup, 5 yrs of data> Teradata Retail Industry Logical Data Model - contains integrated
enterprise data, including product purchases, customer, credit card data, billing, contact center, orders, web browsing and buying, call records, etc.
> Right-time active data feeds from order entry, contact center, and web systems (< 2 hour latencies)
• For more info about Teradata, go to www.teradata.com
© Teradata 2011< 10 >
Protegrity Data Security Policy:What is the sensitive data that needs to be protected?
> PROTEGRITY: T&S needs to protect the sensitive credit card information as it flows throughout the enterprise from acquisition to deletion.
Who should have access to sensitive data and who should not?> PROTEGRITY: The security officer can set the policy. At T&S only two Security
Directors have access to the information at all times. Others have limited access as defined in the policy.
How do you want to protect sensitive data?> PROTEGRITY: T&S protects the information wherever the sensitive data flows with
strong encryption from the Protegrity Data Security Platform.
Where should sensitive data access be granted to those who have access?> PROTEGRITY: Access to sensitive data is set in the policy. Although people may have
access to the data, it is not in the clear at rest or in transit.
Where is the sensitive data stored?> PROTEGRITY: The sensitive data originates at the store or from the web. Credit card
transactions flow to the data centers for operational processing and data analysis and then to the archive. The sensitive data is protected at rest and in transit by Protegrity.
Policy Foundational Questions/Answers:Protecting Sensitive Data
© Teradata 2011< 11 >
Protecting the Enterprise Data Flow
POS e-Commerce
Branch
CollectionApplication Protection
Protect data from collection to aggregation
AggregationDatabase and Application Protection
Change Security Zone, protect data at aggregation, distribute to different operational sys. on different zones
OperationsDatabase, File and Application Protection
Protect data in different security zones, and in different business applications and technologies
AnalysisDatabase Protection
High performance column level protection is required for these large analytical systems
StorageDatabase and File Protection
Archive protected systems with the ability to restore
ESA Key Management
The typical retail merchant data flow is depicted in this diagram. Protegrity protects the sensitive data – credit cards in this case – from creation to archive.
© Teradata 2011< 12 >
Lola Investigated the Front-End Systems
Lola worked with the Store and Web IT Groups.
The system had a full PCI audit review and approval. This led the team to investigate the Front-End Systems. All systems came out clean with no intrusions and the data is protected from the swipe through the point where the transaction data moves to the data centers.
© Teradata 2011< 13 >
Frazier Investigated the Back-End Systems
Frazier worked with the back-end team to investigate how credit cards are handled in the back-end processing at the data centers.
The back-end system also had a full PCI audit review and approval.
The back-end systems came out clean with no intrusions and the data is protected inside the back-end systems.
© Teradata 2011< 14 >
Frazier Checked the Role - and Time-Based Security Access Controls That Were Set Up
In the case of the Credit CardField, Protegrity’s tool defined2 roles – one with High clearance,and one with Low, with accesspermission to the data only for High clearance only during daytime working hours.
Frazier found that the Protegrity policy controls that were initially set up were not changed – no security hole there.
© Teradata 2011< 15 >
Frazier Ran A Protegrity Detailed Report on the Card Number Column – Decrease was the Clue!
Frazier dug intothe Protegrity reports on key data elements. In this case, the Production CreditCard Number – and found a suspicious dip in the numberof daily touches.
© Teradata 2011< 16 >
Frazier Inspected Credit Card Column Access
Frazier drilled down on each of the repositories and found thatthe touches of the Credit Card data in the SQL Servers dropped to 0
© Teradata 2011< 17 >
Core Problem: IT Swapped Out Protected Operational Data Stores at the Data Center, Forgot to Protect
Lola and Frazier had a call with the Data Center IT Manager and found out that the staging databases had been changed - from SQL Server databases to another 3rd party database. No PCI audit was done after the switch and the new databases had not been protected.
© Teradata 2011< 18 >
Audit Logs in SQL Servers in the Data CentersShow Suspicious Activity by a DBA
Lola went back to the Log activity on the unprotected system and found some unusual SELECT * activities on Orders and Customers.
The queries were executed by a DBA at the Las Vegas Data Center by the name of Joe Nagle.
© Teradata 2011< 19 >
Records from DBA Query Matched the List Pull Against the Complaining Customers
Frazier ran a query to JOIN the 500 records with the complaints with the credit card transactions. All customers who were breached had shown the fraudulent activity in the unprotected database. They all matched!
© Teradata 2011< 20 >
The Culprit: Joe Nagel, DBA
Lola worked with the data center IT people to pull the security tapes to make sure Joe was working that day … here he is exiting the facility in the early morning hours. Bob then confiscated his PC and found customer credit card information on his laptop. NABBED!
© Teradata 2011< 21 >
Resolution: Customer and Technical
Customer Actions 1. Immediate Telephone Calls:• To those who already complained• To those who may have issues
2. Letters sent out containing:• New Credit Cards, replacing old • Profuse Apologies and Free Coupons
3. Follow-up phone calls
Technical Action Plan• Install Protegrity to protect the
Data Center• Call in Auditors to redo the PCI Audit
Taylor & Swift Gold
Leslie worked with thehead of Marketing Communications to getan alert out
Bob worked to fixthe technical holes
© Teradata 2011< 22 >
SummaryThe Case of the Credit Card Breach
CASE CLOSED
Taylor & Swift experienced a major credit card breach, detected only when customers began complaining
BSI explored 2 hypotheses:1. External breach (hackers)2. Internal breach (insiders)
Drilling into the details exposedthe real problem:
Disgruntled employee Joe Nagelexploited the lack of protection on the Operational Data Stores at the Data Center to gain unauthorized access and sell data on the black market.
© Teradata 2011< 23 >
Learn More
Is your company protected?• For more information about the
– Active Enterprise Data Warehouse– Communications Industry Logical Data Model – Industry Analytic Solutions
• With Protegrity, you can protect your data and your business.Protegrity provides Data Security Management Solutions that enable you to protect sensitive data. Sensitive data can be protected with encryption or tokenization techniques. Corporate Security Officers can control access to sensitive data through the data security policy.
– www.protegrity.com
Contact us to get started:– [email protected] – [email protected]