Anatomy of a Data Breach Investigation: Interview with Alain Sheer, Attorney with the Federal Trade Commission

By , February 27, 2009.
Anatomy of a Data Breach Investigation: Interview with Alain Sheer, Attorney with the Federal Trade Commission

T

See Also: The Enterprise at Risk: The 2015 State of Mobility Security

he Heartland Payment Systems data breach is on everyone's mind, and the case is in the hands now of the Federal Trade Commission (FTC) if it chooses to investigate. While the FTC will neither confirm nor deny a Heartland investigation, staff attorney Alain Sheer does offer his insight on:
How the FTC investigates data breaches like Heartland's;
The timeline and milestones of such an investigation;
Details of the CardSystems data breach - which closely resembles Heartland's.

TOM FIELD: Hi, this is Tom field, Editorial Director with Information Security Media Group. We are talking today about data breaches, and we are talking with Alain Sheer, an attorney with the Federal Trade Commission's Bureau for Consumer Protection. Alain thanks so much for joining me today.

ALAIN SHEER: Well thanks for inviting me.

FIELD: Could you tell us a little bit about your role within the FTC and what it is that you actually investigate?

SHEER: Yes. I work in the, as you said, the Bureau of Consumer Protection and particularly in the Division of Privacy and Identity Protection, which is a separate division within the bureau. Our division does exactly what the name suggests. We are concerned with privacy and identity protection and identity theft, and the work that we are doing, at least my part of our division is doing, is really to investigate data breach matters. And so over the years we have looked at a fairly large number of data breaches involving a number of companies, companies such as PetCo Animal Supplies and Guess Jean and BJ's Wholesale Club and TJ Maxx and Card Systems Solutions and Lexis-Nexis and others. So the work of the division is really directed at trying to address the security of sensitive information of our consumers.

FIELD: Alain, the case that is on everybody's mind right now is the Heartland Payment Systems data breach that was announced about a month ago. What can you tell us, if anything, about the FTC's investigation of that?

SHEER: Well, for the obvious reasons, the commission's policy is not to confirm or deny a particular investigation.

FIELD: Let's talk about types of cases. You mentioned Card Systems Solutions in particular, which is a case similar. How would the FTC go about investigating a data breach like this? Give us a sense what institutions and agencies and consumers might expect from an investigation.

SHEER: Okay, I would be happy to do that. Before I start I need to make the usual disclaimer, which is that the opinions that I am going to offer are really mine and not necessarily those of the Commission or any individual Commissioner. What I am going to suggest is that the way to understand the scope of the investigations and what we do it would make sense to talk about what data breaches in general look like based on the cases that we have investigated, the laws that we apply, and then we can talk specifically about the Complaint and the Order in the Card Systems Solutions case. Let's start by saying that we collect information using administrative subpoenas, or what we call a voluntary access letter in lieu thereof, and what we try to do is tailor the requests, the information we are asking for to the circumstances that we are trying to learn more about in order to avoid being overbroad.

The data breaches that come out of the cases that we have done have certain steps to them. They are not all identical. There is a considerable amount of variation, and this is just kind of a stylized overview about the sorts of ways they proceed, not talking about a particular case, but typically, and it is pretty self-evident, but I am still going to talk about it.

Typically there is an entry point into a network -- sometimes this is a web application, and sometimes it is something else. Once the intruder has found the entry point and gotten onto the network, there is an exploration of the network to find out what kind of servers and services are being used and where sensitive information is either being stored or transmitted, and this might involve something like exploration by using an easily guessed password.

Follow Tom Field on Twitter: @SecurityEditor

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Alleged Russian Mega-Hacker Extradited

Extradited Russian national Vladimir Drinkman, who's been charged with masterminding the...

Latest Tweets and Mentions

ARTICLE Alleged Russian Mega-Hacker Extradited

Extradited Russian national Vladimir Drinkman, who's been charged with masterminding the...

The ISMG Network