December 19, 2005 4:19 PM PST

Computer forensics tools maker hacked

Guidance Software had to do a forensic investigation on its own systems after a hacker broke in and accessed records, including credit card data, of thousands of customers.

The attack occurred in November, but wasn't discovered until Dec. 7, John Colbert, chief executive officer of Guidance, said in an interview Monday. The attack exposed data on thousands of the company's customers, including 3,800 whose names, addresses and credit card details were exposed, he said.

"A person compromised one of our servers," Colbert said. "This incident...highlights that intrusions can happen to anybody and nobody should be complacent about their security."

Guidance, one of the leading sellers of software used to investigate computer crimes, sent out letters last week to inform its customers about the breach. Some customers have already reported fraudulent credit card charges. "There have been a handful of cases, but we're only two weeks into this, so I don't know the total size," Colbert said.

New York City-based Kessler International received notice from Guidance on Monday, three days after it got an American Express bill for about $20,000, mostly in unauthorized charges for advertising at Google, said Michael Kessler, president of the computer-forensics investigative firm.

"We got hit pretty badly," Kessler said. "Our credit card fraud goes back to Nov. 25. If Guidance knew about it on Dec. 7, they should have immediately sent out e-mails. Why send out letters through U.S. mail while we could have blocked our credit cards?"

Regular mail was the quickest way to contact customers, according to Colbert. "We don't have e-mail addresses for everybody, and we found that their physical addresses are more permanent than their e-mail addresses," he said.

Guidance stored customer names and addresses and retained "card value verification," or CVV, numbers, Colbert said. The CVV number is a three-digit code found on the back of most credit cards that is used to prevent fraud in online and telephone sales. Visa and MasterCard prohibit sellers from retaining CVV once a transaction has been completed.

"We found that our systems were storing these numbers that were supposed to be deleted after their use," Colbert said. The company no longer stores CVV numbers, he said.

Guidance's EnCase software is used by security researchers and law enforcement agencies worldwide. The Pasadena, Calif.-based company notified all its approximately 9,500 customers about the attack and has called in the U.S. Secret Service, which has started an investigation, Colbert said.

While Kessler isn't happy, data breaches are part of business, he said. "Obviously Guidance has to do a lot of soul searching to see if they were maintaining their data as required," he said.

The intrusion at Guidance is the latest in a string of reported data security breaches this year. Since February, more than 53 million personal records have been exposed in dozens of incidents, according to information compiled by the Privacy Rights Clearinghouse.

8 comments

Join the conversation!
Add your comment
No wonder...
This is the server their web site is running. A windows machine,
yeah!
----------
<a class="jive-link-external" href="http://www.guidancesoftware.com/" target="_newWindow">http://www.guidancesoftware.com/</a>
Microsoft-IIS/6.0
------------------
Posted by mkv22 (2 comments )
Reply Link Flag
How Many Others Store CVS?
So the question is really how many other merchants store the CVS#? How many store all the credit card details without purging them? I think in this case AMEX, VISA, and Mastercard need to send a message to merchants like Guidance by permanently yanking their online charge capability. One well publicized case like that will force all the other merchants to review their systems, which THEY SHOULD be doing anually anyway as part of the audit process.
Posted by Stating (869 comments )
Reply Link Flag
A better solution
A better solution would be to make sure you have included in the terms of the contract that they use to provide services in the first place the simple note that if you store the CVS numbers and they are stolen from you then you become responsible for the fraudulent charges.

That one simple change will give the companies who are storing CVS numbers all the incentive they need to clean house.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
Burn them at the stake
Guidance didn't just screw up, they screwed up royally. This is **not** just part of the business. They had no right storing credit card numbers, being such an at-risk target, let alone the cvs numbers. And they are a security company that is supposed to teach YOU best practices and sell you services and software? BURN THEM AT THE STAKE!
Posted by jmanico (55 comments )
Reply Link Flag
Core protection needed.
"intrusions can happen to anybody and nobody should be complacent about their security"

Unfortunately if you resort to status quo technology for your security, you are being complacent. The thing that is lacking is core layer protection, that will protect systems and data from intrusion. Forensic tools that investigate after the intrusion are still only reactive technology.
Posted by RU_Trustified (2 comments )
Reply Link Flag
Wait for it....
Several items to watch: 1) The credit card association's response, and 2) the effect on Guidance's reputation.

Each credit card company has operating regulations that clearly prohibit storing the CVN (CVV2, CVC2, et. al.). In addition, PCI DSS has re-iterated this prohibition and attached fines to those who do not comply. PCI DSS is a single data security standard endorsed by Visa, MasterCard, American Express, and others.

Guidance will be fined (up to $500,000 per incident and $50,000 per month until PCI DSS issues are remediated). If Guidance was certified as compliant, the firm that did the work may be fined or prohibited from doing that work in the future. Guidance may be prohibited from accepting credit cards as a form of payment.

Guidance will also suffer from a loss of reputation. I would be reluctant to do business with a firm containing so many lawyers and security professionals who do not understand the basics of credit card data security.

It will be interesting to see the consequences for the leaders of this company. It seems that several of these individuals has some culpability in the series of decisions (or lack thereof) that led to this incident.
Posted by jtpickering (8 comments )
Reply Link Flag
They've done everything the wrong way!
Placing such information on web accessible servers is problem #1.

Problem #2 is that they themselves are a forensics tool maker and thus their tool should have alerted them of the hack as soon as it took place... not after a customer complains and they look at their logs to confirm as much. Maybe they don't check their own logs?!?!

Problem #3 is that they didn't immediately notify their customers of the breech of their customer's data.

Walt
Posted by wbenton (522 comments )
Reply Link Flag
As a forensic investigator I can not believe that Guidance software did such a thing. They could have kept these records on a safe PC, not connected to their server which had an outside (internet) connection. It is as simple as that. A non-networked computer can only be accessed physically, on site.
Posted by Strath4ensics (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.