Plain FTP and PCIDSS
In my post earlier this week on Server Login Protection, I mentioned how file transfer protocol (FTP) is commonly used, and should not be. A data breach this week hints that FTP was the method of access that lead to the data theft.
The Breach blog reported a breach involving Gloria Jean's Coffees' e-commerce site. Their privacy and security statement aludes to higher standards:
Security
Your purchases at gloriajeans.com are safe. Our site has security measures in place to protect the loss, misuse and alteration of information under our control. We make use of appropriate commercially available software to encrypt order information.
The notification letter to the New Hampshire Department of Justice in the United States (US) says the company:
Locked down File Transfer Protocol (FTP) to specific IP's and implemented SSL encryption to this service for our website
But the strange thing is that it is an e-commerce site and that some of the data stolen was credit card information - card number, name, address and card verification value (CVV), also known as the card security code (CSC) - obtained by modification of the application scripts on the web server. In other words, inbetween the encrypted transfer (using SSL) to the web server and before sending this by an encrypted method to the payment gateway.
Enforcement of the Payment Card Industry (PCI) Data Security Standard (DSS) is much further advanced in the US. So either the site wasn't compliant in which case large fines are winging their way towards Gloria Jean's Coffees Corp, or the auditors may have missed something important here.
See also the related Keeping Up-to-Date with Security Breaches.
Posted on: 10 October 2008 at 07:02 hrs
Comments are filtered automatically and should appear shortly after they been checked.