A data breach at Internet domain administrator and web host Network Solutions has compromised personal and financial data for more than 500,000 credit and debit cardholders. To add more pain to the breach, Network Solutions says it was PCI compliant at the time of the breach.
The breach was discovered in June, was the result of hackers planting rogue code on the company's Web servers used to host mostly small online stores, intercepting financial transactions between the sites and their customers. No further explanation of how the rogue code made its way onto the company's servers was available from Network Solutions. Network Solutions communications representative has no comment due to of the ongoing law enforcement investigation. Compromised data was captured between March - June in 2009, when the breach was discovered.
The last PCI assessment and certification of Network Solutions' networks was completed on October 31, 2008, as per Network Solutions spokesperson Susan Wade. The firm that performed the assessment was the Payment Software Company, a San Jose, CA-based qualified security assessor company.
The 4,000+ ecommerce merchant customers were notified of the breach on Friday, July 24, via an email and a letter sent via US postal service. Network Solutions provides service to more than 10,000 merchant websites. The ecommerce customers are mainly small businesses, mostly "Mom and Pop" type retailers spread geographically across the country. Wade says that Network Solutions has offered them help in contacting their affected customers. Of the compromised data, no fraud has been reported thus far by the four major credit card brands.
Network Solutions has hired TransUnion, a credit reporting agency, to work with it on behalf of its merchants, to contact their customers whose data may have been affected.
Affected merchants can visit www.careandprotect.com, the website Network Solutions set up for them to get more information.
PCI Security Council Weighs In
Just because a company has passed its compliance validation, it doesn't mean that the need for vigilance of security measures should stop, says PCI Security Standards Council General Manager Bob Russo. As for whether Network Solutions was PCI-compliant at the time of the breach, Russo notes, "Until a forensics investigation is completed, an organization can not comment accurately on its compliance status."
The announcement a data breach at Network Solutions underscores the necessity for ongoing vigilance of an organization's security measures, he adds. "Security doesn't stop with PCI compliance validation. As the Council has said many times, it is not enough to validate compliance annually and not adopt security into an organization's ongoing business practices," Russo states. A card data environment is under constant threat, so businesses must ensure their safeguards are also under constant vigilance - "monitoring and where necessary, ongoing improvement. A layered approach to security is absolutely necessary to protect sensitive payment card data - without ongoing vigilance or a comprehensive security strategy, organizations may be just a change control away from noncompliance," he says.
Validation to the principles and practices mandated in the PCI DSS plays an integral part in an organization's security posture, but basic monitoring and logging cannot be set aside after a security assessment is complete, Russo stresses. "Reports by forensics companies suggest that this is an area of weakness among organizations," he says. "An intrusion need not result in card data compromise if an organization is following the 12 guiding requirements of the PCI Data Security Standard."
WebCanDo offers a PCI compliance review service that will ensure your cardholder data and your merchant services are protected.
