Guidance Software, one of the leading sellers of software used to investigate computer crimes, has had to carry out a forensic investigation on its own systems after a hacker broke in and accessed records, including credit card data, of thousands of customers.
The attack occurred in November, but wasn't discovered until 7 December, John Colbert, chief executive officer of Guidance, said in an interview on Monday. The attack exposed data on thousands of the company's customers, including 3,800 whose names, addresses and credit card details were exposed, he said.
"A person compromised one of our servers," Colbert said. "This incident... highlights that intrusions can happen to anybody and nobody should be complacent about their security."
Guidance sent out letters last week to inform its customers about the breach. Some customers have already reported fraudulent credit card charges. "There have been a handful of cases, but we're only two weeks into this, so I don't know the total size," Colbert said.
Kessler International received notice from Guidance on Monday, three days after it got an American Express bill for about $20,000, mostly in unauthorised charges for advertising at Google, said Michael Kessler, president of the computer-forensics investigative firm.
"We got hit pretty badly," Kessler said. "Our credit card fraud goes back to 25 November. If Guidance knew about it on 7 December, they should have immediately sent out emails. Why send out letters through US mail while we could have blocked our credit cards?"
Regular mail was the quickest way to contact customers, according to Colbert. "We don't have email addresses for everybody, and we found that their physical addresses are more permanent than their email addresses," he said.
Guidance stored customer names and addresses and retained "card value verification", or CVV, numbers, Colbert said. The CVV number is a three-digit code found on the back of most credit cards that is used to prevent fraud in online and telephone sales. Visa and MasterCard prohibit sellers from retaining CVV once a transaction has been completed.
"We found that our systems were storing these numbers that were supposed to be deleted after their use," Colbert said. The company no longer stores CVV numbers, he said.
Guidance's EnCase software is used by security researchers and law enforcement agencies worldwide. The company notified all its approximately 9,500 customers about the attack and has called in the US Secret Service, which has started an investigation, Colbert said.
While Kessler isn't happy, data breaches are part of business, he said. "Obviously Guidance has to do a lot of soul searching to see if they were maintaining their data as required," he said.
The intrusion at Guidance is the latest in a string of reported data security breaches this year. Since February, more than 53 million personal records have been exposed in dozens of incidents, according to information compiled by the Privacy Rights Clearinghouse.
Talkback
This incident makes one wonder why Guidance Software would be chosen as the main forensic tool and training provider by an organization such as FBI.
My experience with EnCase (Guidance Software’s main creation) showed me a very poor quality product. For a few years now I waited nature to follow its course (“survival of the fittest”) and see either a great improvement in EnCase or see another security company be honored contracts by the FBI. Neither happened. The product is not many steps above the 20$ recovery tools you can download everywhere, plus the crashes and the cost – which is in the thousands of dollars.
So again, I ask, why is Guidance still in business?
I have to wonder after after reading this story, where is the boundary between making a mistake and incompetence ? This company obviously doesn't check its own system very often, doesn't comply with credit card security regulations, and then is lackadaisical in notifying its customers about a major security breach! The only thing companies like this understand is to be sued.
How else to instill ethics and responsibility in a company/corporation ? They only understand and care about money. Hit them in the wallet. Either they will raise there standards or be sued until they are out of business. I also wonder if they should be held on criminal charges. Cybercrime software maker ? What a sick joke. This continues to happen and will continue to happen until these companies and their CEO's are held completely resonsible !
This company used the knowledge of law enforcement to improve its product on the pretext of supporting their efforts and then priced them out of the market for the big bucks of the private sector. Maybe this is the pay back they deserve to be shown in their true light as a compnay that claerly has no respect for its customers data. It will be interesting to see if they are subjected to the severe financial penalties that are available and whether that has any impact on their upcoming public offering on the US stock market.