Anatomy of a Data Breach Investigation: Alain Sheer, FTC Attorney
The Heartland Payment Systems data breach is on everyone's mind, and the case is in the hands now of the Federal Trade Commission (FTC) if it chooses to investigate. While the FTC will neither confirm nor deny a Heartland investigation, staff attorney Alain Sheer does offer his insight on:
How the FTC investigates data breaches like Heartland's;
The timeline and milestones of such an investigation;
Details of the CardSystems data breach - which closely resembles Heartland's.

TOM FIELD: Hi, this is Tom field, Editorial Director with Information Security Media Group. We are talking today about data breaches, and we are talking with Alain Sheer, an attorney with the Federal Trade Commission's Bureau for Consumer Protection. Alain thanks so much for joining me today.

ALAIN SHEER: Well thanks for inviting me.

FIELD: Could you tell us a little bit about your role within the FTC and what it is that you actually investigate?

SHEER: Yes. I work in the, as you said, the Bureau of Consumer Protection and particularly in the Division of Privacy and Identity Protection, which is a separate division within the bureau. Our division does exactly what the name suggests. We are concerned with privacy and identity protection and identity theft, and the work that we are doing, at least my part of our division is doing, is really to investigate data breach matters. And so over the years we have looked at a fairly large number of data breaches involving a number of companies, companies such as PetCo Animal Supplies and Guess Jean and BJ's Wholesale Club and TJ Maxx and Card Systems Solutions and Lexis-Nexis and others. So the work of the division is really directed at trying to address the security of sensitive information of our consumers.

FIELD: Alain, the case that is on everybody's mind right now is the Heartland Payment Systems data breach that was announced about a month ago. What can you tell us, if anything, about the FTC's investigation of that?

SHEER: Well, for the obvious reasons, the commission's policy is not to confirm or deny a particular investigation.

FIELD: Let's talk about types of cases. You mentioned Card Systems Solutions in particular, which is a case similar. How would the FTC go about investigating a data breach like this? Give us a sense what institutions and agencies and consumers might expect from an investigation.

SHEER: Okay, I would be happy to do that. Before I start I need to make the usual disclaimer, which is that the opinions that I am going to offer are really mine and not necessarily those of the Commission or any individual Commissioner. What I am going to suggest is that the way to understand the scope of the investigations and what we do it would make sense to talk about what data breaches in general look like based on the cases that we have investigated, the laws that we apply, and then we can talk specifically about the Complaint and the Order in the Card Systems Solutions case. Let's start by saying that we collect information using administrative subpoenas, or what we call a voluntary access letter in lieu thereof, and what we try to do is tailor the requests, the information we are asking for to the circumstances that we are trying to learn more about in order to avoid being overbroad.

The data breaches that come out of the cases that we have done have certain steps to them. They are not all identical. There is a considerable amount of variation, and this is just kind of a stylized overview about the sorts of ways they proceed, not talking about a particular case, but typically, and it is pretty self-evident, but I am still going to talk about it.

Typically there is an entry point into a network -- sometimes this is a web application, and sometimes it is something else. Once the intruder has found the entry point and gotten onto the network, there is an exploration of the network to find out what kind of servers and services are being used and where sensitive information is either being stored or transmitted, and this might involve something like exploration by using an easily guessed password.

Once the intruder is on the network and able to move around, there is oftentimes a system of downloading hacker tools, and the tools do a couple of different things. Sometimes they go and look at passwords or try to find passwords, and sometimes they are simply devices to capture sensitive information and maybe store it in a certain file somewhere on the network. And then lastly there is another series of hacker tools that are downloaded and installed and the point they have, the purpose of being used to export the sensitive information over the internet through remote computers that the intruder controls. Sometimes the export occurs over an extended period of time.

And so the successful attacks typically have all of these steps, and what we are trying to understand when there has been a breach in our investigations is to figure out what lies behind each one of these steps to try to understand how the breach occurred, the path that the intruder took in getting to sensitive information and exporting it, what defenses and security measure the company was taking and what kind of information was taken from the firm.

To further inform what we do in terms of an investigation, let's talk briefly about the laws that we enforce in these cases, and I am really going to talk about the Federal Trade Commission Act, and in particular Section 5 of the Act, which prohibits deceptive or unfair acts or practices. There are two theories that we use in these cases, two legal theories, and they have different elements, which of course informs the kind of information that we try to develop in the course of an investigation.

The first theory is called deception. It is kind of exactly what it sounds like. It is a representation that is material to consumers, meaning it is important to the decision that they make, and if missed means consumers acting reasonably under the circumstances. And misleading sounds exactly like what it is; it is either the statement or the representation is false, or if it is an objective representative and it has got a number in it, the number lacks a reasonable basis.

Our second theory is unfairness. It doesn't have its dictionary meaning. It is an act or practice that causes or is likely to cause substantial injury to consumers, that is not outweighed by countervailing benefits to consumers or competition and not reasonably avoidable by consumers. As the Commission enforces the FTC Act, the Act requires firms that handle sensitive information to take reasonable and appropriate measure to protect the information. So if the firm makes a representation that it is going to protect the information, and it hasn't taken reasonable procedures or reasonable measures to do so, that may be a basis for a deception allegation. If the firm does not make a representation, we can allege unfairness, and what we would basically be saying there is that by failing to take reasonable and appropriate measure, that is the act or practice that is unfair. The firm puts some sensitive information at risk and in doing so it caused or is likely to cause substantial consumer injury not outweighed by countervailing benefits to consumer or competition and not reasonably avoidable by consumers.

So our investigations seek information that we need to satisfy the legal theories that we might pursue in these matters. Now, onto Card Systems. Card Systems, as I suppose everyone knows, is a card authorization processor, and what I am going to talk about is the allegations that were included in the complaint. I am simply going to go through them and explain as well as I can what it is we are looking at as we do that. We alleged -- and all of these are the allegations in the complaint -- we alleged that Card Systems provided card authorization services to about 119,000 merchants. The merchants that were its clients were able to go to a Card Systems website and view their card authorizations. Typically what that means, and I am speaking just generally here, is that the website connects to a server on the network and visitors to the website are able to extract from that server or database on the network, information that is important to them. So Card Systems set up its system so that its client merchants could go to a backend database as it is called, and view their card authorizations. It allowed or set up that same website to provide information to prospective merchants, and it would allow those prospective merchants to retrieve information about the card authorization services that the company would offer.

The card authorization services are pretty simple to describe. A consumer swipes a card at a merchant that is a client of the company. The card reader takes information from the mag stripe on the back of the card. The mag stripe information is formatted into an authorization request, and then it is transmitted to Card Systems network. From there, Card Systems transmits the authorization request onto networks, such as Visa or MasterCard or whomever, that eventually connect to the company or banks that issued the car. The issuing banks respond, they send responses approving or denying the request back over the same networks to Card Systems and then to the merchant where the request originated. So it is a pretty straightforward system that involves the collection and transmittal of mag stripe information, and what we found and what we alleged in the complaint was that since 1998 Card Systems has stored authorization responses for up to 30 days on computers on its network. I think everybody is aware by now that mag stripe data is very, very sensitive information, and it can be used to create or make counterfeit cards that look completely genuine and act as though they are genuine.

In the case we made in the complaint, we made a number of pretty specific security allegations and the gist of them, and I am jut going to summarize and then I am going to tell the story about how we think they could be stitched together and then talk about the specific ones. The basic allegation was that Card Systems engaged in a number of practices that taken together failed to provide reasonable and appropriate security for sensitive information.

It is really important to understand, and this is again informing our investigation, it is that it isn't just a single failure. It is a series of failures that allow an intruder to be successful. If you go back to where we started, which were the steps in the breach, they are find an entry point, explore the network, load hacker tools onto the network to find sensitive information, and export the sensitive information from the network. So it is a series of things, problems that are exploited to make out a successful attack. The main allegation in the complaint is that the company engaged in a number of practices that taken together (not just one) taken together failed to provide reasonable and appropriate security.

Here is what we alleged in the complaint about what happened, and this is kind of a big picture kind of way of thinking about it, but I think you will see the picture. It is, starting in September 2004 an intruder used a SQL injection attack, and I will explain what that is in just a moment, to install common hacker tools on Card Systems network. The tools were used to find the mag stripe data and to export it every four days, starting in November 2004. Through the exploit, through this attack, the intruder got information about tens of millions of credit cards, the mag stripes basically.

SQL (Structured Query Language) injection is a way to construct the database and a way to retrieve information from that database and like many firms, the company here used the SQL language to set up the databases that were to be accessed through its website. So for example, merchants to the website would come to the website and they would use the SQL query to retrieve information about their card authorization requests and that query would be transmitted to the network, to the SQL database where it would be executed. The information would be collected and then retrieved and then displayed on the visitor's browser.

So what we are saying here is that the structure. SQL injection attack was the entry point and that it was used to install hacker tools on the network, the tools were used to find sensitive information and to download them over the network out over the internet.

So let's talk about how the specific allegations now, which again go to the source of things that we are interested in learning during the course of an investigation. The first one is that the company created an unnecessary risk by storing information in a vulnerable format, and that is almost always the starting point in the matters that we look at. The company has sensitive information, and that goes to the idea of you really should know what you have, and you should only keep what you need. But the beginning here was the first of among other things that the company did not do; it created an unnecessary risk by storing the information in a vulnerable format.

The second is it did not adequately assess the vulnerability of their website and web application to commonly known or reasonably foreseeable attacks, such as SQL injection attacks. That was the entry point. That was the story we told just a moment or so ago about how the intruder got onto the network.

The third of the enumerated security allegations was that the company did not implement simple, low cost defenses to such attacks. As many of the listeners may know, there is a filter that has been available at no charge for a number of years now that will prevent a SQL injection attack. So when we do our assessment or our investigation, we are always asking 'Are there simple defenses available to particular kinds of vulnerabilities and were they in place?' We alleged here that the company did not implement a simple, low-cost defense to SQL injection attacks.

The fourth specific allegation is that it failed to use strong passwords to prevent an intruder from getting control of the network and from finding information on the network. This again goes to the idea, if you go back now to the steps of a successful attacks, we now have entry into the network, and now we are exploring the network and the allegation here is that it did not use a strong password to control movement around the network, and as a consequence the intruder was able to move around the network and find the sensitive information.

The fifth specific allegation we made in the complaint is that the company did not use readily available controls to limit movement between computers on its network and between its network and the internet. This goes to the idea, or the step in the attack, of installing hacker tools and removing information. When the intruder can move around the network freely, of course they are going to be able to find sensitive information, or they may be able to find sensitive information, and if they find it they typically want to download it over the internet to remote computers that they control, and that is the idea of controlling access between computers on the network and the internet. And so what this allegation suggests or is basically, that simple methods, readily available methods to limit the ability of an intruder to move around the network and find the sensitive information and then to limit the ability of an intruder to export that information out over the internet were not being used.

And then the last and final specific security allegation that we made in the complaint is that the company failed to use efficient measures to detect unauthorized access or conduct security investigations. Going back again to the steps in an intrusion, what this is basically saying is that the intruder was on the company network for a period of time. The intruder was able to load hacker tools on the network. The failure to use sufficient measures to detect unauthorized access is really asking about the methods that might be used to find the hacker tools and that might be used to either monitor or block the export of sensitive information using those tools. In this case, the complaint further alleged that the stolen information was used to make counterfeit cards that were used to make fraudulent purchases that banks canceled and reissued cards, and that consumers could not use their cards until they got replacements.

If you will think back to the two theories that we talked about, deception and unfairness - since this is not a deception case because no representation was made, the legal theory is unfairness and the elements of that legal theory include showing that the failure caused or is likely to cause substantial consumer injury not outweighed by countervailing benefits. So the idea here really is that we wound up alleging that the failure to use reasonable and appropriate measures was an unfair act in violation of Section 5 of the Federal Trade Commission Act.

Now on to the Order; and it is important because it sort of gives you an idea about what we are really looking for in an investigation, and it is also a useful source of information generally.

The Order, and this is common to all of our orders, the Order in Card Systems requires the company and its successor, Pay By Touch, to implement what we call a comprehensive information security program. It has a number of elements to it that are pretty straightforward and pretty simple to understand.

I'm going to read it but it basically says that the program shall contain administrative, technical and physical safeguards appropriate to the respondent's size and complexity, the nature and scope of respondent's activities and the sensitivity of the personal information collected from or about consumers.

So that is basically saying that the program that is required here is really scalable; it depends on the company, it depends on how big it is, how complicated it is, how sensitive the information that it has is. It is not a one-size-fits-all program, but the company is required to have an appropriate program and it includes designating somebody who is responsible for it. It includes identifying material and internal and external risks to the security confidentiality and integrity of personal information, and that includes looking at employee training, at information systems and that preventing and detecting and responding to attacks. It requires the company to design and implement reasonable safeguards to control the risks identified through the risk assessment and it requires an evaluation of the information security program in light of testing and monitoring so that changes can be made to the safeguards that are put in place under the program. That is what the order essentially requires the company to do.

And further, it requires the company to get a third-party assessment every other year for 20 years that certifies that the information security program that the company has put in place actually satisfies the order.

Now there are other provisions in the order, but these are the two that go very clearly to the kinds of things we would be asking about in terms of an investigation because this kind of information security program goes to whether the company has taken reasonable and appropriate measures. So we are looking at these kinds of things in assessing whether the company has complied with the law.

And then finally, the comprehensive information security program covers personal information, and that can vary slightly between different cases depending upon the kind of information that is at stake. But in Card Systems, personal information is defined this way: it is a first and last name, a home or other physical address, an email address or online contact information, a telephone number, a Social Security number, credit or debit card information, a persistent identifier, such as a cookie, that combined with other available information identifies an individual consumer and any other information about an individual consumer that is combined with any of the enumerated items that I listed above. So the big picture here is that our cases, Card Systems included, alleged a series of vulnerabilities that taken together failed to provide reasonable and appropriate security under the circumstances.

Our investigations are really designed to develop, to assess whether the company's security was reasonable and appropriate. So we are going to be looking at the way a breach occurred, the measures that were taken to defend against a breach, the kind of information that was at risk, how much information was obtained, how it was misused, and other details about the way the company does its business.

FIELD: Now, Alain, in a case like that, what types of sanctions might be issued against a company, and what sort of reparations might be granted to consumers?

SHEER: Well, I think I know where you are going and I'm going to give you an answer in just a moment. Basically, the orders that we get in the typical breach case, which is the sort of thing that I have just been describing to you, includes injunctive relief, which is have a comprehensive information security program and get an independent third-party professional to assess it every other year for 20 years. That information, the assessment is provided to the Commission's Division of Enforcement and it is reviewed there to make sure that we are comfortable with it.

There are a number of other provisions, but they are really housekeeping things like making sure that the right people see the order. We do not typically get consumer redress in these cases. We have gotten it in one case involving Choice Point, you may remember that as a case where people misrepresented themselves to Choice Point to get access to very sensitive information, and Choice Point use insufficient measures to try to verify that customers that were applying for access to their databases were actually who they said they were and had appropriate purposes to get access of that information. The result was that they got very, very sensitive information, including credit report information. In that instance we did obtain redress fro injured consumers, but we don't typically do that.

The way to understand that is that in determining whether to seek monetary relief, we look at each case individually and consider a number of factors. In Choice Point, for example, the information that was stolen in many instances was the Social Security number, which allowed the thieves to open new accounts in the consumer's name. The evidence also showed that a significant number of people lost a significant amount of money from identity theft.

In Card Systems, the consumers experienced a different type of injury in the form of fraudulent credit and debit charges, inconvenience and time lost. Although this is a real injury, consumer's losses in circumstances like this are limited in many respects by existing consumer protection laws. Bank dispute procedures that kind of spread the loss among the affected companies and private litigation for example. Consumers are not typically held responsible for unauthorized charges on their credit cards. So in these cases we have not been getting monetary relief because they are really different from the Choice Point type case.

FIELD: Now Alain, the process you described with Card Systems sounds like an exhaustive process. Can you give us a sense of what an investigative timeline might look like?

SHEER: It does vary considerably. It can be relatively short, meaning less than a year, and it can be substantially longer. To some extent it depends on the way the company decides to approach providing information to us.

FIELD: So it really is an individual case?

SHEER: It is, it is a case-by-case issue, and it really does depend on actual data. It is not just companies deciding to produce too much; it is also the complexity of the company. If it is a very simple company, then maybe the amount of information that is required is not so broad. If it is a very complicated company with lots of different pieces, then we have to get information about more of those pieces, and that takes longer to put it together, and it takes longer to review it of course.

FIELD: Sure. Now we are hearing an awful lot from consumers; certainly they are hearing from their banking institutions that their accounts might have been compromised and there might actually have been fraud committed to some of these accounts as a result of the Heartland Data Breach. What advice can the FTC offer to consumer right now that have either heard from their banking institutions or are concerned that their accounts might have been compromised?

SHEER: Yes, I can help you with that and I am actually just trying to get online now. What I would advise is this, our advice is actually on our website and it is pretty easy to get too. Let me kind of walk you through to where it is and then you can actually see in detail what we recommend. The first place to go is to www.ftc.gov, which is our homepage. About a third of the way down the page there is going to be a heading on the right called Quick Finder and it has got a series of entries in a box there. One of them, in the third column, first row, is called Identity Theft. If you click on it, and I will give you the URL now, it is called www.ftc.gov/dcp/edu/microsites/idtheft/. What you get to is a page that is titled Fighting Back Against Identity Theft ,and it is the page that includes the information or the advice that the Commission gives.

So for example, toward the bottom of the page there is a highlighted sentence that says, "If your information has been stolen and used by an identity thief," and it gives you a little box called "more" that you can click on. If you go to that box, there is a series of basically frequently asked questions and the first one is, "What steps should I take if I am a victim of identity theft?" and it recommends four steps.

The first is to place a fraud alert on your credit reports and review your credit reports, and it provides you information about how to do that. The second is to close the accounts that you know or believe have been tampered with or opened fraudulently. The third one is to file a complaint with the Federal Trade Commission and it explains how to do that. And the fourth is to file a report with your local police or the police in the community where the identity theft took place.

And so I think if you go to this page and look at the various entries that are offered here, you will be able to get our recommendations about how to proceed.

FIELD: Very good. Alain your insight has been very useful today. I appreciate you taking the time to offer your thoughts and to give us the background.

SHEER: My pleasure.

FIELD: We've been talking with Alain Sheer of the Federal Trade Commission. For Information Security Media Group, I'm Tom Field. Thank you very much.




Around the Network