Canadian Standards Association Learning Centre compromised
Technorati Tag: Security Breach
Date Reported:
1/21/08
Organization:
Canadian Standards Association (CSA) Group
Contractor/Consultant/Branch:
None
Victims:
CSA online Learning Centre customers
Number Affected:
Unknown
Types of Data:
Names, addresses, credit card account numbers, and card expiration dates.
Breach Description:
Unauthorized online access was obtained by intruders to the Canadian Standards Association ("CSA") Learning Centre online store web site server, possibly exposing sensitive customer information.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
I am writing this letter to inform you that Canadian Standards Association ("CSA") recently experienced a security breach of its Learning Centre web site server, which is located in Toronto, Canada.
Canadian Standards Association has recently noted a security breach in some of our web sites and is taking immediate action to address the situation.
[Evan] Judging from the two statements above, it appears that the Learing Centre web site server hosted multiple sites for CSA.
The security breach may have resulted in unauthorized access to personal information, specifically names, addresses, credit card account numbers and card expiration dates provided to CSA by customers of our Learning Centre online store
Although the credit card numbers compromised were encrypted, there is some potential that the intruder may have had access to the encryption key.
[Evan] It's great that the credit card numbers were encrypted. There are numerous methods for deploying and managing encryption in online transactions. It is possible that the encryption key were stored in one way or another on the compromised web server so that it can write and read from the database and understand the contents. Sometimes encryption in handled by the database itself. I don't know enough detail to speculate.
We have contacted all customers who may be affected by this breach. On January 14, 2008, letters were mailed from our offices to the Learning Centre online store customers informing them of the breach.
The letters suggested that these customers close their relevant credit card accounts, and provided information on preventing and detecting credit card fraud.
"Contact your credit card company, notify them of this breach, and request that they monitor suspicious charges on your credit card in the future, or close the account and open a new one. If you open a new account, ask the credit card issuer to give you a PIN or password. This will help control access to the account."
[Evan] Good suggestions.
We have taken the affected CSA websites off-line. These sites are being reconstructed to ensure the security of our customers' information going forward.
We have engaged computer forensics specialists who has helped us determine the extent of the breach and its implications. We have been provided with recommendations for improving a number of our security procedures.
We are in the process of planning short and long term initiatives to improve the security of our websites.
While we have no indication at this time that any of our online customers' personal information was actually retrieved or misused, we felt it necessary to take the above steps to contain this security breach and prevent such a breach in the future.
If you have any questions or concerns about this matter or how it is being managed, please do not hesitate to contact me at 1- or via e-mail at .
Commentary:
This is a good incident response from CSA. It is not clear how long the intruders had access to the sensitive information or how the CSA became aware. I am always more comfortable with breaches that involve credit card information than I am with ones that involve Social Security numbers. It's relatively easy to get a new credit card number if you have reason to believe that yours has been compromised and any fraud typically affects a single account. Social Security number compromise is not so limited.
There was reason to believe that the encryption (/decryption) key was compromised in the breach. The "secret" in secret key encryption is key. If the key is disclosed, the encryption is useless. The key is understanding key management (pun intended).
Past Breaches:
Unknown
Date Reported:1/21/08
Organization:
Canadian Standards Association (CSA) Group
Contractor/Consultant/Branch:
None
Victims:
CSA online Learning Centre customers
Number Affected:
Unknown
Types of Data:
Names, addresses, credit card account numbers, and card expiration dates.
Breach Description:
Unauthorized online access was obtained by intruders to the Canadian Standards Association ("CSA") Learning Centre online store web site server, possibly exposing sensitive customer information.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
I am writing this letter to inform you that Canadian Standards Association ("CSA") recently experienced a security breach of its Learning Centre web site server, which is located in Toronto, Canada.
Canadian Standards Association has recently noted a security breach in some of our web sites and is taking immediate action to address the situation.
[Evan] Judging from the two statements above, it appears that the Learing Centre web site server hosted multiple sites for CSA.
The security breach may have resulted in unauthorized access to personal information, specifically names, addresses, credit card account numbers and card expiration dates provided to CSA by customers of our Learning Centre online store
Although the credit card numbers compromised were encrypted, there is some potential that the intruder may have had access to the encryption key.
[Evan] It's great that the credit card numbers were encrypted. There are numerous methods for deploying and managing encryption in online transactions. It is possible that the encryption key were stored in one way or another on the compromised web server so that it can write and read from the database and understand the contents. Sometimes encryption in handled by the database itself. I don't know enough detail to speculate.
We have contacted all customers who may be affected by this breach. On January 14, 2008, letters were mailed from our offices to the Learning Centre online store customers informing them of the breach.
The letters suggested that these customers close their relevant credit card accounts, and provided information on preventing and detecting credit card fraud.
"Contact your credit card company, notify them of this breach, and request that they monitor suspicious charges on your credit card in the future, or close the account and open a new one. If you open a new account, ask the credit card issuer to give you a PIN or password. This will help control access to the account."
[Evan] Good suggestions.
We have taken the affected CSA websites off-line. These sites are being reconstructed to ensure the security of our customers' information going forward.
We have engaged computer forensics specialists who has helped us determine the extent of the breach and its implications. We have been provided with recommendations for improving a number of our security procedures.
We are in the process of planning short and long term initiatives to improve the security of our websites.
While we have no indication at this time that any of our online customers' personal information was actually retrieved or misused, we felt it necessary to take the above steps to contain this security breach and prevent such a breach in the future.
If you have any questions or concerns about this matter or how it is being managed, please do not hesitate to contact me at 1- or via e-mail at .
Commentary:
This is a good incident response from CSA. It is not clear how long the intruders had access to the sensitive information or how the CSA became aware. I am always more comfortable with breaches that involve credit card information than I am with ones that involve Social Security numbers. It's relatively easy to get a new credit card number if you have reason to believe that yours has been compromised and any fraud typically affects a single account. Social Security number compromise is not so limited.
There was reason to believe that the encryption (/decryption) key was compromised in the breach. The "secret" in secret key encryption is key. If the key is disclosed, the encryption is useless. The key is understanding key management (pun intended).
Past Breaches:
Unknown
Posts Atom 1.0
Comments