The news continues to report computer hacking into customer databases of large companies. The latest victim is Microsoft’s online retail store serving India. Yes, computer giant Microsoft can’t even protect the personal data of its customers. That is scary!
I have never been comfortable with online shopping and news like this makes me wary of the occasional times when I do purchase products online. Apparently, large corporations are not doing enough to protect the personal information of their customers.
“As we saw with Sony, Stratfor, Zappos and others, hackers value this information and are selling it on a thriving black market to others focused on identity theft,” says Todd Thiemann, product specialist at encryption company Vormetric. “Companies need to rethink how to value and protect customer data.”
Microsoft took it’s Store India off line on Feb 13 after news spread that the site’s customer database had been hacked. A group referring to itself as “Evil Shadow Team” took credit in a blogpost written in Mandarin.
Referring to himself as 7zl, Evil Shadow’s self-proclaimed leader told Reuters the data had been found unencrypted on the website. On the blog post, 7zl declared himself to be a “patriotic hacker.”
A Microsoft spokeswoman told Reuters the company is “investigating a limited compromise” of the company’s online store in India. “The store customers have already been sent guidance on the issue and suggested immediate actions,” the spokeswoman said. “We are diligently working to remedy the issue and keep our customers protected.”
The hackers have also released user name and password combinations that were saved in plain text by Microsoft. “Storing this data in clear text is playing with fire,” says Thiemann.
Of all companies, you would think this computer giant would have the resources and knowledge to encrypt sensitive data and not store data in clear text.
Customers of Microsoft’s India store should change their account passwords ASAP. Also, they should be on the alert for “phishing” e-mails. These emails are intended to trick them into divulging sensitive information, such as a Social Security number, or to clicking on a seemingly trustworthy weblink that actually installs a virus.
Shockingly, it still remains a widespread practice among many online retailers not to encrypt shopper’s personal data, such as a customers e-mail, shipping addresses, phone number, the last four digits of the payment card numbers, and account passwords. The majority of big retailers do encrypt payment card numbers — but only because it is required under the Payment Card Industry Data Security Standard.
As you can see, retailers are only doing the minimum in protecting their customer’s information. Apparently, the reason retailers do not typically encrypt any data beyond what is required under PCI-DSS rules is because they say that doing so can degrade their website’s performance. VISA and Mastercard do enforce the minimum requirements of the PCI-DSS; however, they are only concerned about payment card fraud losses, and have no direct financial stake in monetary and reputation losses consumers must endure due to identity theft, says Todd Feinman, CEO of database security firm Identity Finder.
Consumers need to start demanding that all of their personal data be encrypted. These occurrences are happening all too often, and anyone who has been a victim of identity theft can tell you it can take years to clean up such a mess. This is a financial, time consuming and emotional drain to an individual.
According to The Hacker News, a security researcher using the nicknames — “WeedGrower” or “X-pOSed” — in recent weeks claims to have cracked into customer databases of AOL, NASA, Hotmail, MySpace, Xbox, USBank, Yahoo, and VISA and leaked sensitive data on most of those websites.
WeedGrower also claims to have compromised chip maker giant Intel and obtained sensitive data, including credit card numbers, email addresses and passwords.
“What’s interesting about this alleged breach is credit card data that’s supposedly been obtained should be encrypted under PCI DSS,” said Mark Bower, data protection expert and VP at Voltage Security. “Either it wasn’t encrypted, which would be a violation of PCI, or they made a common mistake in assuming that data-at-rest encryption offers any protection from hackers, like in this case. If the data was encrypted at the data level, using a data-centric approach, then all bets would be off and the hacker would have useless encrypted data, and this would be a non-issue.”
There is no excuse for these large companies to not invest the time and technology to protect their customers personal information. I am hopeful that action will be taken in Congress that forces these companies to go beyond adhering to the minimum standards – and that the minimum standards will be expanded to require all personal data be encrypted. In addition, there should be huge penalties for companies that do not comply. They should also be required to pay the financial cost incurred by each and every customer that becomes an identity theft victim due to their vulnerable databases.
These large companies complain about too much regulation, but regulation wouldn’t be required if they were capable of managing themselves.
If you believe your personal computer has been breached, MSI Detective Services offers Debugging services. We can detect if your computer has been hacked and provide you with the removal of spyware and viruses and perform forensic examinations.
Read story@ lastwatchdog
