SANS Digital Forensics and Incident Response Blog

Data Breach Notification Law Fail

by Rob Lee

RBS Thief Pulling Money Out Of An ATM

  • 1 Major Bank Compromised By Hackers

  • 100 compromised credit cards

  • 130 different ATM machines

  • 49 cities worldwide

  • 30-minutes

  • $9,000,000.00 stolen

  • Knowing that your victims cannot stop your attacks: Priceless.

If you haven't read the news, then I suggest you take a quick look at what happened to RBS Worldpay back in early November 2008.

I see three challenges here:

  1. With a payout in the millions and very low threat of arrest, these thieves are becoming more brazen in their crimes. Safe harbors truly exist in the world for cyber criminals. Law enforcement does not have the full cooperation of foreign governments to stop these attacks.
  2. Class action lawsuits and case studies surrounding TJX's experience are encouraging silence among victims due to the high cost of any type of disclosure. Blaming the victim for a crime is similar to blaming a victim of rape that it was their fault it happened. Many lambast rape victims because they argue that they should not have placed themselves in the situation that lead to it. As we know, this is a horrible argument. We have to stop the criminals, not keep stoning the victims. Treat the disease, not the symptom.
  3. With victims not privately or publicly sharing details, the attacks will only get worse as potential victims are not able to learn from their experience.

Some thoughts on the challenges: Data Breach Notification laws need a combined industry and government round-table to discuss their effectiveness. Are they helping stop these crimes? Currently, the focus has been on protecting the public not the victim. Not a bad idea, but with the actual costs and subsequent lawsuits in the millions, victims are opting not to disclose. This is defeating the purpose of the notification laws altogether. Disincentives to disclose outweigh the good reasons to disclose, thus creating a catch-22 for these organizations. With the economy shrinking, can we really expect organizations to do the right thing which results in increasing their risk of a costly lawsuit?

I like the intent of Data Breach Notification laws, but I think the cracks in the initiative are Another RBS Thiefstarting to show. Right or wrong, we need to open up this discussion to compel victims to voluntarily disclose data breach related crimes. If the victims are not voluntarily willing to there are a couple of ideas you could examine to "grease the skids"on proper disclosure.

  1. Insurers of the banks could require disclosure to law enforcement prior to the submission of any claim.
  2. Protect victim's rights of these crimes if they voluntarily disclose.

I remember I first had to file a police report in order for an insurance claim to be processed on my bike when it was stolen in a garage. I think the same requirement could be applied here for financial institutions and their insurers. But that still doesn't limit the risk of a class action lawsuit. I doubt granting immunity to the victim, even if they disclosed properly, would be favorable to the public.

We know law enforcement does their best to keep victim information secure even in court. Victim rights have been around for many years. These organizations are victims and are not the real bad guys in cases like these. And while the crime probably could have been prevented, potential targets need to learn how to defend the crime before it occurs. I am confident the lessons of a previous breach probably could have prevented this one from occurring. Sharing of crime details need to take place for that to be a possibility.

If we really plan to stop these crimes in the future, law enforcement has to arrest the criminals who are involved and the industry must have a clear and easy path to get information out quickly on how brother and sister organizations are being compromised. How many of these do we need to go through until the industry truly says... "What we are doing is not working!"

Someone once said: "What is the definition of insanity? Doing the same thing over and over again and expecting different results."

Rob has over 12 years experience in computer forensics, vulnerability discovery, intrusion detection and incident response. Rob is the digital forensic curriculum lead and faculty fellow for the computer forensic courses at the SANS Institute.


Posted February 8, 2009 at 8:36 AM | Permalink | Reply


And while the crime probably could have been prevented, potential targets need to learn how to defend the crime before it occurs. I am confident the lessons of a previous breach probably could have prevented this one from occurring. Sharing of crime details need to take place for that to be a possibility.
Interesting approach and thought. From some perspectives, that was also the intent of some of the notification laws and regulations''to get potential victim organizations to a point where a breach would be prevented, or at least detected in a timely manner.
Okay, so remove the requirement for public notification, what then? Given the state of incident prevention, detection, and response with most organizations today, very little will change, per se.
I agree with the thought that public notification is forcing victim organizations back into their shell, and that we're not seeing the desired results. But to address the the ''what we're doing is not working' issue, it appears that organizations may be going back to their old ways''in the words of the immortal bard Homer (Simpson), "if I didn't see it, it didn't happen."
I think shifting the focus to prosecution may be the best approach. But in order to do that, organizations are still going to have to do something to improve their infrastructure and business processes so that LE has some evidence with which to pursue prosecution. It's really not all that hard or expensive, but how many organizations are getting breached but for the want of an ''sa' password????
Let's do it. Where do I sign up to help?

Posted February 8, 2009 at 8:41 AM | Permalink | Reply


One other thing''
Victim organizations are expressing their pain, which appears to be public notification. I would suggest that if things do not change with respect to the security posture of the victim organizations, that the threat of public notification (by the bad guys) will become part of the underground economy that underlies the breaches. In some ways, it already is, but look at breaches like Heartland''based solely on what we've seen in the media, the breach likely occurred well before the first response team was called, and (also according to the media) two sets of analysts reportedly missed some important data.
What about TJX? Were any of the actual intruders ever found or convicted?
What message is this sending?