Security Experts from Tripwire, Securonix and Voltage commented on the latest scottrade data breach.
[su_note note_color=”#ffffcc” text_color=”#00000″]Mark Bower, Global Director Product Management, HP Data Security:
“It’s almost mind-boggling that yet another major data breach has been revealed in less than a week. In this case, while the passwords may remain safe, one has to ask if the customers’ personal data was protected in the same manner? With the available technologies today to protect sensitive data very easily and quickly, it’s a simple matter to cover all sensitive data bases to protect consumer trust and satisfaction. It’s important that businesses follow best practices of encrypting all sensitive and regulated data as it enters their ecosystems, and have the protection follow the data at rest, in use and in motion. This is especially urgent in the financial services industry and with data processors.
Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line. A data-centric approach to security is the industry-accepted cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks.
Once again, this underscores the need for companies to protect the sensitive information they hold on their customers. While it’s not clear who is responsible, criminals are always looking for a way to exploit a system in a way that they can then turn stolen data into cold, hard cash. In this case there is a further risk in that personal information about the user such as their name, full address, phone number and email address was taken. Criminals could then use this information or sell it for use in more targeted larger-scale spear-phishing or identity theft attacks.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Tim Erlin, Director of IT Security and Risk strategy, Tripwire :
“It’s important to remember that while this news is breaking, the actual break in occurred more than a year ago.
The FBI is unlikely to explain in detail why notification of this breach took so long, but it’s not uncommon for an ongoing investigation to delay notification so that criminals aren’t tipped off.
Cyber criminals behave more like an infestation than the usual metaphor of a burglar. Once they’re inside, it takes more than a rolled-up newspaper to get rid of them.[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Stewart Draper, Director of Insider Threat at Securonix :
“A concerning lack of detective capabilities must not have been in place to have missed data exfiltration to the tune of 4.6 million records. The timeline specified was a particularly sensitive time in this sector with hacktivist and criminal groups regularly targeting financial companies.
Federal authorities should not be the avenue with which companies are discovering they may have been breached. In 2014 Scottrade was fined for failure to provide complete trade logs, blamed on an internal IT error from a migration. Accountability for these mistakes need to be taken at the highest levels of the organization to help drive awareness and improvement in security defense.”[/su_note]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.