Pay(Pal)ing the Price: TIO’s Inevitable Breach?

Original Entry by : Stuart Wilson

Late last month, Paypal announced that TIO Networks, a company it acquired in July 2017, experienced a major data breach that has compromised the sensitive information of approximately 1.6million customers.

While Paypal has publicly acknowledged the breach, which could have occurred any time before it acquired TIO, customers are still unaware of the impact the brief and Paypal has yet to contact customers to notify them of the data that may have been accessed.

However, in a statement Paypal did say it had “identified a potential compromise of personally identifiable information for approximately 1.6 million customers.”

Paypal should be commended for identifying the breach and taking full responsibility. However, introducing free identity theft insurance and credit checks shows us that the information that may have been breached is incredibly sensitive – and could possibly be used to damage a credit rating or for identity theft. Further to this, Paypal has stated that TIO services, “will not be fully restored until [PayPal] are confident in the security of the TIO systems and network” a measure it has taken in order to protect its customers.

For all the work Paypal is doing to address the impact of this breach, it’s interesting to see just how long it has taken to identify and respond to the breach. According to reports, the breach occurred sometime before the acquisition and was announced a full four months later, in November.

TIO Networks and Paypal stand as a message to other companies: the question you’re asking shouldn’t be: will a breach occur? But when will a breach occur or has one occurred?

Recorded Network History lets SecOps teams quickly find, rewind and playback relevant network traffic and investigate security alerts before they turn into more serious breaches . And in the event of a breach like TIO’s, recorded Network History could have also allowed their SecOps team to get ahead of the breach before it was found by Paypal.

For the TIO Networks analysts, the ability to go back and examine the packets to see exactly what happened on their network could have substantially reduced the damage caused by the hackers. And for Paypal, it could have prevented a financial hit.

This breach also highlights the need for cybersecurity audits to be included as a key part of the due-diligence process when companies are looking at potential acquisitions. As we saw with the purchase of Yahoo, the potential cost of dealing with an inherited breach can have a significant impact on the value of the company. Knowing the risk of having to deal with such an inherited breach can help the acquirer to avoid being hit with significant unexpected costs.

With EndaceProbes Network Recorders SecOps teams can investigate and respond to data breaches quickly and conclusively.

In the event of a breach they can be sure exactly what happened: how the attacker got in, and what was compromised. Which means they can respond appropriately – offering credit and identity theft protection to their customers, or not if the breach wasn’t sufficiently serious to warrant it.

The Equifax Breach: Lessons for EU Organisations

Original Entry by : Stuart Wilson

Recently, the credit scoring company Equifax revealed it had been the victim of a dramatic breach,
potentially putting the data of up to 143 million US customers at risk. As we watched the story
unfold, things quickly turned from bad to worse. Days after the incident was announced, we learned
of the Apache Struts vulnerability and a huge configuration error in Argentina, and late last week we
discovered that up to 400,000 UK-based customers could be affected: key details behind this are yet
to be made clear.

The Equifax breach was not the biggest incident of its kind in recent years – but it’s certainly one of
the most dangerous. Millions of customers’ sensitive, personal data (including Social Security
numbers) is now at the whim of fraudsters seeking to steal identities. Even more frighteningly, it
took two months for the organisation to confess, meaning individuals were totally oblivious to being
at risk.

With just over eight months to go until new European personal data regulations come into force,
organisations can look to incidents, such as the Equifax breach, to learn some valuable lessons.

Compliance is key

With GDPR legislation in place from 25 th May 2018, keepers of personal data will no longer have the
luxury of taking months to craft a self-serving response to notify customers of a breach. In a GDPR
world, companies will need to provide notification of an incident within 72 hours. Failing to do this,
businesses risk being fined 4% of their global revenue – not to mention multiple, hefty fraud
penalties often demanded by the FCA.

Additionally, Equifax should be a lesson in awareness for all organisations who have become data
businesses. For several years, the limits of IT departments all over Europe have been tested due to
dealing with an overload of regulations, in addition to the constant pressure to ensure networks are
over achieving to meet increasingly high customer experience expectations.

Further complexity equates to further vulnerability. Compliance and performance are now at the top
of operational agendas, but security is still significantly falling behind the increased performance
mandate. As businesses begin to consolidate data centres, or move to the cloud in some instances,
the complexity of their enterprise networks will grow.

It’s crucial that as networks increase in complexity, visibility improves to aid management and
troubleshooting. For example, you wouldn’t shift to dense 10Gb Ethernet or higher network speeds
in order to deal with elevated network demand without making sure you had visibility of the
increased flow of information, would you?

The message for organisations is clear: increased complexity must be approached with increased
security and transparency as to the daily, internal happenings of a network. This does not exclude
third parties: cyber risk underwriters do not necessarily assign a lower score to companies that use
outsourced providers and other third parties to manage infrastructure and take care of, for example,

Attitudes towards security can often be gauged from the way a company handles third parties and
the quality of this relationship. However, it’s essential that the processes surrounding dealing with
third parties are correctly defined and understood in the first place.

Prepare now, or pay later

GDPR demands that data handlers must implement “security by design and by default”. This means
that systems must be designed from the outset to deliver the right levels of resilience and security.
In this respect, there won’t be any room for maneuver.

The harsh reality is that it’s likely every business will experience a data breach at some point, if they
haven’t already. So when the inevitable happens, in order to be compliant, organisations will need to
know, understand and communicate the breach within the 72 hour ‘critical period’. For this to
happen, they will need to be able to have a transparent view of network activity in real-time, with
the ability to identify the cause of issues quickly and prevent them from escalating further.

Provenance™️ helps firms meet new MFID 2 regulatory technology standards

Original Entry by : Stuart Wilson

We attended the Fall STAC summits in Chicago and London recently, and will be at STAC New York on November 7th. At STAC we’ve been talking about Provenance™️, a new feature available now in all our DAG™️10X cards and coming to our EndaceProbe™️ Network Recorders early next year.

New MFID 2 regulatory technology standards (known as RTS 25) for recording trade data will impose tough new standards on HFT firms operating in the European market. Under the new regulations, traders must ensure that timestamps on recorded trade data are accurate to at least 1 microsecond granularity and synchronised to UTC with a maximum divergence of less than 100 microseconds. They must also be able to demonstrate traceability to UTC by documenting the system design, functioning and specifications. There’s a few technical hurdles to clear to meet those requirements and Provenance is how we ensure you don’t knock any over.

Continue reading “Provenance™️ helps firms meet new MFID 2 regulatory technology standards”