On August 24, the US Court of Appeals for the Third Circuit upheld a lower court ruling granting the Federal Trade Commission the power to regulate cyber security in businesses. The case surrounded a lawsuit brought against Wyndham Hotels by the FTC for failing to protect its customers’ financial data.
The court’s decision is good news for consumers, and will hopefully serve as a catalyst for other major companies to assess how they protect customer data.
FTC v. Wyndham
Between 2008 and 2009, the hotel group suffered three data breaches stemming from brute force attacks and resulting in more than $10 million in fraudulent charges. The FTC cited glaring security errors which allowed relatively simple attacks, including a lack of necessary firewalls, dismal password practices (employee passwords and user names for a Micros Systems login was “micros”), and failure to properly configure software which handled customer credit card data.
The FTC argued such failures by Wyndham violated their own internal policy to protect customer information and mislead consumers. This was the first in which the FTC brought charges against a major company over customer data protection, but it certainly won’t be the last. And with the power to regulate, US businesses will likely see new external policies to comply with as well.
Fighting the Charges
The court’s decision comes on the heels of the salacious Ashley Madison data breach (and subsequent data dump). Ashley Madison is facing at least four lawsuits in the US, each vying for class-action status, over its failure to deliver on its promise to delete customer data after a fee was paid. A Canadian suit filed over the fallout from the breach has a $578M price tag. Legal costs aside, for a service dependent on the privacy of its customers, the damage to its reputation may be priceless.
In the case of Ashley Madison, Wyndham, Target, or any of the others on the growing laundry list of breached companies, loss of consumer confidence is one of the biggest hurdles to overcome. So what could they have done differently not only to stay compliant, but to stay in their customer’s good graces?
- Erect and monitor strategic firewalls: Without comprehensive visibility, firewalls can become akin to last year’s Christmas lights—a tangled mess you’d just as soon throw away than sort out, where one faulty bulb can ruin the whole operation. Effective firewall auditing that defines policies, collects data, and evaluates both is the best first step to firewall cleanup. Once you can see your defenses, you can take steps to optimize them and keep them in continuous compliance. Firewall and change management solutions that automate rule reviews, recertification, and risk assessment of proposed changes are the only feasible way to complete these tasks on an enterprise scale.
- 21st century passwords: The attacks on Wyndham started in 2008—generations ago in technology terms. With calls today for sophisticated username/password protection and multi-factor authentication growing, it seems many enterprises are getting on board. But the message may not have trickled down to SMB organizations who think they have nothing attackers want or surely they’d go after a shinier prize first. If recent attacks on small health systems, universities, and hotels have shown us anything, it’s that value is in the eye of the beholder. Any PPI, credit card, or health data is within attackers’ sights.
- Proper network configuration: To protect your network, you have to see your network—and not as it exists in a vacuum. You have to look with an attacker’s eyes: how can I get in, how can I move around, what can I exploit, and how can I evade detection? With a sophisticated network model, you have an interactive space to learn user rights, analyze access paths, find security gaps, assess firewall changes, and simulate attack scenarios.
It may be too late for Wyndham and Ms. Madison to implement these best practices, but it’s not too late for you. Happy auditing!
See the Skybox approach to security policy management and check out our solutions—Firewall Assurance, Network Assurance, and Change Manager—to strategically close security gaps, automate workflows, and keep you in continuous compliance.
Keep credit card information secure and streamline PCI DSS compliance to meet internal and external policy and easily prove compensating controls are in place.
Automate your firewall rule lifecycle management with the latest version of Skybox—see the latest from 7.5.400 now.