By Brian Krebs
washingtonpost.com Staff Writer
Monday, December 19, 2005 5:33 PM
Guidance Software -- the leading provider of software used to diagnose hacker break-ins -- has itself been hacked, resulting in the exposure of financial and personal data connected to thousands of law enforcement officials and network-security professionals.
Guidance alerted customers to the incident in a letter sent last week, saying it discovered on Dec. 7 that hackers had broken into a company database and made off with approximately 3,800 customer credit card numbers. The Pasadena, Calif.-based company said the incident occurred sometime in November and that it is working with the U.S. Secret Service on a more detailed investigation.
Michael G. Kessler, president of New York City-based computer-forensics investigative firm Kessler International, received a letter notifying him that the company's American Express card was among those compromised by the attackers. Kessler received the notice from Guidance at the same time that a company credit-bill arrived with what he said were $20,000 in unauthorized charges for pay-per-click advertising at Google.com.
"I just got our American Express bill and nearly fell out of my chair," Kessler said. "You'd think Guidance would be the last company this kind of thing would happen to."
Guidance's EnCase software is used by hundreds of security researchers and law enforcement agencies worldwide, including the U.S. Secret Service, the FBI and New York City police. John Colbert, the company's chief executive officer, said Guidance alerted all of its customers less than two days after discovering the break-in, and that it would no longer store customer credit card data.
"This certainly highlights the fact that intrusions can happen to anybody and that nobody should be complacent about security," he said. Colbert declined to discuss further details of the attack, citing the ongoing investigation.
Guidance stored customer records in unencrypted databases, and indefinitely retained customers' "card value verification" (CVV) numbers, the three-digit codes on the back of credit cards that are meant to protect against fraud in online and telephone sales, according to Colbert and the notification letter sent to customers.
Merchant guidelines published by both Visa and Mastercard require sellers to encrypt customer credit-card databases. They are also prohibited from retaining CVV numbers for any longer than it takes to verify a given transaction.
Companies that violate those standards can be fined $500,000 per violation. Credit card issuers generally levee such fines against the bank that processes payment transactions for the merchant that commits the violations. The fines usually are passed on to the offending company.
Secret Service and FBI customers were among those whose information was included in the hacked database, Colbert said, but he declined to say whether credit card information belonging to those agencies was compromised.
Secret Service spokesman Eric Zahren would only confirm that the agency is investigating the break-in. FBI officials could not be immediately reached for comment.
Kessler said several of his company's employees also received notices. Among the items Guidance said were taken by hackers were company employee's names, addresses, telephone numbers, credit card numbers, card expiration dates and card verification numbers.
Another security professional who got the notification letter said he was surprised that the company did not detect the intrusion for nearly two weeks, a lapse in time that could make it much more difficult to catch the perpetrators.
"Unfortunately, most cyber crimes require being worked very quickly in order to gather data before it is purged either by attackers or just in the normal course of business," said Doug Rehman, president of Rehman Technology Services in Mount Dora, Fla., who learned that his credit card and personal data had been exposed.
"Hopefully this incident will be a call for our community to wake up, particularly the vendors who ought to be among the forefront of in dealing with security issues," Rehman said.
The intrusion at Guidance caps a year marked by an unprecedented number of disclosures about hacker break-ins at major corporations that hold customer data. Many of those attacks targeted law enforcement entities indirectly or directly. In March, data aggregator LexisNexis acknowledged that hackers had illegally accessed information on more than 310,000 consumers, an attack that was later determined to have been launched after hackers broke into computers used by at least two separate police departments.
Last week, investigators at CardCops.com found that a digital intrusion at a company that manufactures police name badges had compromised the personal information and credit card accounts belonging to dozens of police departments and officers.
Krebs is a reporter for washingtonpost.com.