Network Solutions was PCI compliant before breachUpdated Monday, July 27, 2009 at 4:51 p.m. EST
Web hosting firm Network Solutions on Friday announced that, despite its being PCI compliant, a breach had compromised approximately 573,928 individuals' credit card information.
Network Solutions discovered unauthorized code on its servers used to support thousands of e-commence merchants' websites, Susan Wade, director of communications at Network Solutions told SCMagazineUS.com on Monday. The company determined that the unauthorized code may have been used by cybercriminals to capture transaction data, including customer names, addresses, and credit card numbers, and transfer it to servers outside of the company, she said.
Approximately 4,343 e-commerce websites were affected by the breach. Network Solutions could not disclose which merchants were affected but said the victimized merchants sell a wide variety of merchandize and are primarily small businesses. The breach occurred from March 12 to June 8 and the issue has since been mitigated, Network Solutions said.
“We feel deeply sorry about this; we know it is very concerning to our e-commerce customers,” Wade said.
Wade added that Network Solutions is compliant with the Payment Card Industries (PCI) Data Security Standards and its last PCI assessment was on Oct. 31, 2008.
Network Solutions is working with law enforcement and a third-party data forensics company to investigate the breach, but as yet does not have an explanation of what made the company vulnerable, Wade said. In addition, the company has implemented additional security measures since the breach but has not provided any specifics.
“Until a forensics investigation is completed, an organization cannot comment accurately on its compliance status,” Bob Russo, general manager of the PCI Security Standards Council told SCMagazineUS.com in an email Monday.
A website has been established to provide information about the breach to e-commerce merchants, and Network Solutions will be helping merchants notify customers whose information was compromised. Notifications to affected customers will be going out in the next few days, the company said. In addition, affected individuals will be offered 12 months free credit monitoring at Network Solutions' expense.
No reports of misused credit card account information associated with the breach have been filed, Network Solutions said in a statement.
Russo added that this breach “...underscores the necessity for ongoing vigilance of an organization's security measures.”
He said that since card data is under constant threat, security monitoring and logging cannot stop when an organization is deemed PCI compliant.
“A layered approach to security is absolutely necessary to protect sensitive payment card data -- without ongoing vigilance or a comprehensive security strategy, organizations may be just a control change away from noncompliance,” Russo said.
In addition, Russo said that an intrusion will not necessarily result in card data compromise if an organization is following PCI requirements.
In response to news of the breach, Steve Moyle, CTO and founder of database security company Secerno, told SCMagazineUS.com in an email on Saturday that people are probably questioning how this breach could have happened and continued for so long, especially after the Heartland breach clearly illustrated the consequences.
Moyle said that many enterprises are behind in security protection efforts such as anti-virus updates due to shrinking IT budgets, which results in unpatched vulnerabilities that are easily exploited.
In addition, Amichai Shulman, CTO of database and application security company Imperva, told SCMagazineUS.com in an email Monday that the incident illustrates the risks of cloud computing.
“This incident points out the basic problem of cloud computing: With many more companies hosting their data on the internet, the databases and the servers they are hosted on become phenomenally attractive,” Shulman said.
“The attackers here aimed at the big prize -- the servers. Instead of dealing with a website here and there, once the hackers broke in, all the sites were open to them," he added. "The lesson: Once you've penetrated the cloud, you've got an easy path to the important, underlying data.”