Dodging Data Breaches At Your Third-Party Provider

What went wrong in recent database breaches at Honda, Gawker, McDonald's, and Walgreens -- and how enterprises can avoid similar compromises
Companies should take to heart the rash of data breaches that exposed the sensitive information of Honda, Gawker, McDonald's, and Walgreens customers to cybercriminals, security experts say.

A series of major compromises have exposed millions of consumers' sensitive information in the past month. In early December, McDonald's revealed that the compromise of its third-party email marketing provider exposed 1.3 million consumers data records. The breach involved "limited customer information such as name, address, phone number, birth date and gender," the company said in a statement. The compromise of third-party marketing services firm SilverPop is also thought to be responsible for exposing 4.9 million accounts at Honda and its Acura subsidiary, as well as stealing e-mail addresses from Walgreens.

"As a user of outsourced services, which is becoming more and more prevalent with cloud computing, everyone is nervous about the security," says Avivah Litan, vice president of analyst firm Gartner. "These breaches just give them a good reason to worry more."

While the compromises fall short of the massive breaches at retailer TJX in 2007 and Heartland Payment Systems in 2008, they underscore the dangers of using third-party providers whose security cannot be validated or verified. Companies that consider doing business with an online service provider need to check the company's security, Litan says.

"A lot of companies are nervous about moving authentication to the cloud unless they are really, really comfortable with the provider and their security," she says. "Unfortunately, there is no academic standard out there whether a provider is secure or not, so companies have to do their own due diligence."

While the Payment Card Industry's Data Security Standard (PCI-DSS) is required for companies that handle credit-card information and financial data, there is no set of standards for protecting personally identifiable information (PII). Even companies that use the same standards as PCI are not necessarily practicing good security, but in many cases merely checking boxes, says Josh Corman, research director for The 451 Group, an analyst firm.

"We have one and only one defense playbook -- not even a playbook, we only have one play," he says. "What we know is that companies are still getting compromised, and we don't know whether something else might be better or worse."

Nearly eight in 10 companies suffering compromises were subject to PCI-DSS, but were not compliant at the time of the breach, according to Verizon Business's Data Breach Investigations Report 2010 (PDF).

Companies holding customer data should use a Web application firewall, develop software using secure practices, and focus on whitelisting technologies for key servers, 451's Corman says. The Verizon report found 97 percent of compromised records involved an attack by custom malware, and 94 percent of compromised records also involved a Web application flaw, such as SQL injection.

Finally, companies handling credit card data and PII can benefit by limiting the number of servers and employees who can touch the data. By storing key information on its own servers, rather than giving it to a third party, a company can retain control of that data's protection.

"That is the problem with the whole Web 2.0 model -- the whole cloud model -- your span of control is reduced," Corman says. "Sometimes the best you can do is redraw the lines of control."

The Gawker breach is a good example. While 1.3 million accounts were compromised by the attackers, customers that used Facebook Connect -- a federated identity system for Facebook users -- did not have to worry because the credentials were not stored on Gawker's systems. Federated identities, tokenization, and other technologies for centralizing the management of sensitive data could minimize the uncontrolled spread of PII that can result in breaches.

In the end, a company might not be operationally responsible for the security of its customer data, but legally and ethically it must exercise control, says Corman.

"It is not your fault, but it is still your problem," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.