DATA BREACH INCIDENTS AND LESSONS FOR RISK MANAGEMENT

“Observe your enemies, for they first find out your faults.”

From Antisthenes, Greek philosopher, quoted in Diogenes Laertius, Lives and Opinions of Eminent Philosophers, vi. 12

On August 5, 2009, Federal prosecutors in the United States charged Mr. Albert Gonzales with the largest credit card data theft and fraud ever occurred in the States, a combined credit card theft of 50 million credit cards and credit card numbers. According to the indictments proceedings, Albert Gonzales did not act alone, but as a member of a global cybercrime gang that included two hackers in Russia and a conspirator in the United States. During a period of more than 2 years, Albert Gonzales and his fellow cybercrime gang members attacked several corporate servers and Web applications and stole credit and debit card data by using attack techniques such as SQL injection, war driving, and installing network sniffers. To cover the tracks of these attacks, the members of the gang used different usernames, disabled programs that logged inbound and outbound traffic, and concealed the origination of the machines IP addresses by hiding them through proxies.

The main objective of these attacks was to steal credit and debit card data and economically profit from it. Specifically, the cyber gang profited from the resale of millions of stolen credit card and debit card numbers, cardholder personal information, magnetic ...