About seven years ago, I worked a case that appeared to be a standard forensic investigation. The client, a retailer with multiple locations, had been provided a Common Point of Purchase (“CPP”) analysis from the bank that handled its payment card transactions. The CPP revealed a high possibility of fraudulent activity at various locations, suggesting this retailer’s sensitive customer card data had been accessed by intruders. Our task was to identify how, where, and for how long thieves had been accessing the client’s payment systems and siphoning card data.
At the conclusion of the investigation, we had a well- defined timeline – the intruders had accessed payment transactions from early April to mid-June. However, we had a problem: the CPP data did not add up. There were a handful of transactions that fell outside of what we were certain was the timeline of exposure. The outlier population was not large, but large enough and overa wide enough timespan for us to be concerned over transactions both before and after our strictly-defined window. It looked like our investigation was not, in fact, complete.
Fast forward another week and we get a break in the case. We discovered that in a significant number of instances, particularly for home delivery orders, employees printed customer transaction information in hardcopy and stored the printouts in cardboard boxes at retail locations. These hard copies included customer name, payment card number, expiration date, and security codes – everything you would need to perform fraud. The retailer’s IT, security, and compliance personnel had no idea that this was happening. Individual store managers were not looking closely at the printouts. However, as we would later find, certain employees had recognized the value of this information goldmine, and used it to commit fraud.
Data breaches can be internal too
This scenario is known as inadvertent storage, and is an excellent example of why payment card brands and issuers care so much about it.
In this case, printed copies of purchase transaction history were stored just in case. Unfortunately, this turned into a situation where sensitive data was compromised. We ultimately determined that at the same time remote intruders were accessing network payment systems to extract swiped payment card transactions, malicious inside employees were periodically helping themselves to the data on the hard copy printouts. The client actually had two breaches, and the employees were stealing data long before, and long after, the digital attackers.
As with anything else, the best defense is a good offense. For any organization that processes payment card transactions, we recommend that all integral systems and servers that process, store, or transmit sensitive card information be reviewed periodically for unknown content and data structures. For instance, during the course of troubleshooting a technical issue, IT personnel may enable transaction tracking and auditing and then forget to disable it later. Other times, out-of- date payment software simply retains payment card data natively. There have even been cases where employees had spreadsheets with customer credit card information that they created over the course of business, or had printed as hardcopy documents. Without a periodic review of internal systems and processes, these types of inadvertent storage issues can be easily overlooked.
Where's the data?
A common remedy is to conduct a mock investigation where the primary objective is to identify these unknown data structures. Another effective methodology to address the inadvertent storage issue is to institute regimented data discovery exercises to fully enumerate and inventory payment card data stored across systems within a network environment.
Inadvertent storage is more common than you might think, and in fact, enterprises across all industry sectors are susceptible. Who in your organization truly knows all of the data that it is storing at any point in time? The answer is critical given that regulatory scrutiny after a breach is growing ever more broadly and clients have heightened expectations for data protection. The strategies outlined above are a good starting point for helping ensure your organization is not blindsided by a potentially preventable breach or opportunistic insider theft.
Ultimately, one of the greatest challenges in dealing with inadvertent storage and its implications is to recognize that the problem is fluid. For example, an organization that is not storing payment card information today may begin doing so in a month, two months, or even a year from now – with security and compliance personnel being none the wiser. Organizations must be vigilant to the possibility that inadvertent storage is taking place and continually work to discover and address the issue.