3400 Bridge Parkway, Suite 101
94065 Redwood Shores, CA, us
+44 (20) 7183-2834
CitySights card hack could generate PCI DSS fallout says Imperva
According to Amichai Shulman, chief technology officer with the data security specialist, the hack itself occurred via a SQL Injection attack. In such an attack, the hacker gains illegal access to information in the database. As media reports have shown, the hacker launched the attack on September 26 over a 3 week period obtaining over 100K credit card details including the account number, expiration date, CVV2, and other personal identifying information such as home and email addresses. Shulman's team had investigated this attack, and what they found was an Indonesian hacker's blog listing numerous websites vulnerable to attack, including the site of CitySights. Interestingly enough, the blog's entry was dated September 9th - more than two weeks prior to the initial attack campaign.
While this case clearly illustrates the security misgivings the company suffered from, CitySights may also be in breach of the PCI DSS industry regulation. The PCI regulation, mandated by major credit-card processing companies such as Visa and Mastercard, defines the required security controls to be placed on the storage and processing of credit cards. The PCI regulation includes specific requirements in regards to the storage of unencrypted credit card data as well as prohibiting the storage of sensitive authentication data (CVV2) all together. Since the hacker was able to gain access to this data, "may indicate that the firm's data security practices are not aligned with PCI DSS requirements", Shulman proceeds to say.
The tour company had offered a 50% discount voucher to its affected customers. Ironically enough, Shulman says, they posted the discount code online, making it in short available for anyone.
For more on the CitySights card database hack: http://bit.ly/fYK8Ro
For more on Imperva: www.imperva.com
The use of information published here for personal information and editorial processing is generally free of charge. Please clarify any copyright issues with the stated publisher before further use. In the event of publication, please send a specimen copy to firstname.lastname@example.org.