Will Stratfor Be Liable for the Security Breach?

Stratfor has sent out this updated message on the hacking of its subscriber data base, which included customer credit card information.

At least one person's data I saw on Pastebin had the full credit card number and 3 digit "CVV" code (I'm not linking to it.) If Stratfor didn't encrypt the card data and left the full credit card numbers and pins on its servers, I wonder whether it failed to be in full compliance with PCI Data Security Standards. See page 14: [More...]

Protect Cardholder Data

Cardholder data refers to any information printed, processed, transmitted or stored in any form on a payment card. Entities accepting payment cards are expected to protect cardholder data and to prevent their unauthorized use – whether the data is printed or stored locally, or transmitted over a public network to a remote server or service provider.

Requirement 3: Protect stored cardholder data In general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business. Sensitive data on the magnetic stripe or chip must never be stored. If your organization stores PAN, it is crucial to render it unreadable (see 3.4, and table below for guidelines).

3.1 Limit cardholder data storage and retention time to that required for business, legal, and/or regulatory purposes, as documented in your data retention policy. Purge unnecessary stored data at least quarterly.

3.2 Do not store sensitive authentication data after authorization (even if it is encrypted). See guidelines in table below. Issuers and related entities may store sensitive authentication data if there is a business justification, and the data is stored securely.

3.3 Mask PAN when displayed; the first six and last four digits are the maximum number of digits you may display. Not applicable for authorized people with a legitimate business need to see the full PAN. Does not supersede stricter requirements in place for displays of cardholder data such as on a point-of-sale receipt.

3.4 Render PAN unreadable anywhere it is stored – including on portable digital media, backup media, in logs, and data received from or stored by wireless networks. Technology solutions for this requirement may include strong one-way hash functions of the entire PAN, truncation, index tokens with securely stored pads, or strong cryptography. (See PCI DSS Glossary for definition of

The standards apply to all merchants who take cards, even if they outsource the transactions. Here's more:

PCI compliance is required for any business that accepts payment cards – even if the quantity of transactions is just one.

...Both PCI DSS and the payment card brands strongly discourage storage of cardholder data by merchants and processors. There is no need, nor is it allowed, to store data from the magnetic stripe on the back of a payment card. If merchants or processors have a business reason to store front-card information, such as name and account number, PCI DSS requires this data to be encrypted or made otherwise unreadable

Each credit card company has its own rules and penalties. Many states require merchants to have a written policy on what to do in case of a data breach. (Malpractice insurance companies now include data breach riders that ask you whether you have a written policy in place in case of a security breach and how many records are stored on your computer.

Some 46 states have data breach security notification laws. Texas, where Stratfor is located, became the first state in 2007 to enact a law requiring merchant compliance with a set of compliance standards.

Texas.... passed a bill that makes businesses liable for any monetary expenses resulting from data security breaches of their company. The data that is specifically covered under this is credit card or other magnetic or chip stored information, and personally sensitive information. The bill also states that businesses must safeguard sensitive information and that they must take action if a data security breach is discovered.

Businesses will be responsible for any costs that a financial institution incurs when they have to replace customer’s cards that may have been compromised as well as repay the financial institution’s legal fees. More importantly, the business is completely liable for any refunded transactions that the bank has to make to the customer.

....The bill does not specify how the data must be stored, so any business that keeps copies of sensitive data, either in an electronic database, or on paper, is subject to this bill. Also, businesses that are PCI compliant are protected.

Stratfor was probably on a private, not public network, and it couldn't have foreseen a hacking attempt, but still, should it have kept its customers' credit card data -- especially pin numbers, in an unencrypted form on its computers?

While I'm somewhat familiar with the basics of PCI compliance in Colorado, I haven't read the rules and regulations for Texas or all the credit card companies, so I'm not alleging Stratfor wasn't compliant, I'm just asking the question.

It seems to me in hindsight, Stratfor would have been better off using Paypal and forking over a portion of its subscription income, just so it never had to come in contact with its readers' cardholder information.

< Anonymous Denies Hacking Stratfor | Mexican Army Captures Chapo Guzman's Chief Security Guard >
  • The Online Magazine with Liberal coverage of crime-related political and injustice news

  • Contribute To TalkLeft

  • Display: Sort:
    Yet another reason (5.00 / 2) (#1)
    by scribe on Mon Dec 26, 2011 at 09:14:55 AM EST
    to be glad I got rid of my credit cards a while back.

    I did also (5.00 / 1) (#2)
    by Edger on Mon Dec 26, 2011 at 10:09:01 AM EST
    About 15 years ago. Now though, I'm going to be needing one again, but this time I'll go with a secured card and use it like a debit card. One of my number one policies is to have no effective debt whatsoever.

    i work in IT (5.00 / 2) (#3)
    by smott on Mon Dec 26, 2011 at 01:43:44 PM EST
    And they were absolutely Non Compliant if they stored data non-encrypted.
    Even for companies that do NOT store it but partner with someone who does (often the easier route) must encrypt it when they first collect the info and send it to the partner for storage. At that pt they are able to only store last 4 digits.

    But to actually store the whole nbr, non encrypted, plus second code - fromm what I understand they've left themselves wide open for litigation.

    Should be fun to watch!!

    in my opinion, they (none / 0) (#4)
    by observed on Mon Dec 26, 2011 at 03:17:34 PM EST
    were about as thorough here as they are with their predictions.

    hilarious (none / 0) (#5)
    by pitachips on Mon Dec 26, 2011 at 07:57:51 PM EST
    to think that a company that makes money selling "intelligence" to corporate, government, intel-community customers, would care so little about their own security.