Security Software Firm's Customer Database Hacked

By Brian Krebs
Special to the Washington Post
Tuesday, December 20, 2005

Guidance Software Inc. -- a leading provider of software used to diagnose hacker break-ins -- has itself been hacked, exposing financial and personal data connected to thousands of law enforcement officials and network-security professionals.

Guidance alerted customers to the incident in a letter sent last week, saying it discovered Dec. 7 that hackers had broken into a company database and made off with about 3,800 customer credit card numbers. The Pasadena, Calif.-based company said that the incident occurred sometime in November and that it is working with the U.S. Secret Service on a more detailed investigation.

A spokesman for the Secret Service confirmed the investigation but declined to comment further.

Hackers got access to company employees' names, addresses, telephone numbers, credit card numbers, card expiration dates and the three-digit verification numbers on the backs of credit cards, according to Guidance.

Michael G. Kessler, president of New York City-based computer-forensics investigative firm Kessler International, received a letter notifying him that the company's American Express card was among those compromised by the attackers. Kessler received the notice from Guidance at the same time a company credit bill arrived with what he said was $20,000 in unauthorized charges for pay-per-click advertising at

"I just got our American Express bill and nearly fell out of my chair," Kessler said. "You'd think Guidance would be the last company this kind of thing would happen to."

Guidance's EnCase software is used by hundreds of security researchers and law enforcement agencies worldwide, including the Secret Service, the FBI and New York City police. John Colbert, the company's chief executive, said Secret Service and FBI customers were among those whose information was included in the hacked database, but he declined to say whether credit card information belonging to those agencies was compromised.

FBI officials could not be reached for comment.

"This certainly highlights the fact that intrusions can happen to anybody and that nobody should be complacent about security," Colbert said. He declined to discuss further details of the attack, citing the ongoing investigation.

The company alerted all of its customers less than two days after discovering the break-in and told them it would no longer store customer credit card data, Colbert said. Guidance had stored customer records in unencrypted databases and indefinitely retained customers' three-digit verification codes, according to Colbert and the notification letter sent to customers.

Merchant guidelines published by both Visa and MasterCard require sellers to encrypt customer credit card databases and to discard verification numbers after using them in a transaction. The penalty for violating those policies can be as high as $500,000 per incident.

Another security professional who got the notification letter said he was surprised that Guidance did not detect the intrusion for nearly two weeks, a lapse in time that could make it much more difficult to catch the perpetrators.

"Unfortunately, most cyber crimes require being worked very quickly in order to gather data before it is purged either by attackers or just in the normal course of business," said Doug Rehman, president of Rehman Technology Services Inc. in Mount Dora, Fla., who learned that his credit card and personal data had been exposed.

"Hopefully, this incident will be a call for our community to wake up, particularly the vendors who ought to be among the forefront of in dealing with security issues," Rehman said.

Krebs is a staff writer for

© 2005 The Washington Post Company