Target Breach Fallout Persists; PCI DSS Compliance Tough To Maintain
A Verizon report has found that a vast majority of companies that achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS) annually fail to maintain that status, leaving them exposed to potential breaches and other security risks, Computerworld reports. The report found that 11 percent maintained compliance status between each PCI DSS assessment.
Meanwhile, the FBI recently warned retailers that the recent attacks against Target and other brands foreshadows events to come as hackers become increasingly sophisticated at breaking into “antiquated payment systems,” The Washington Post reports. A Forbes editorial questions whether the appropriate steps are being taken to combat this certain future; Dave Altavilla discusses “whitelisting,” a method of “locking-down a machine such that only trusted executable, DLLs and other necessary system and application components are allowed to run—everything else is denied.” Another expert says PCI DSS compliance isn’t enough. The methodology needs to be “deny by default.”
In a column for The New York Times, Robert Neubecker discusses methods consumers can use to protect their data as retailers struggle to protect it on their end and breaches are inevitable.
Those Breaches Sure Do Persist
UK-based Barclays has launched an investigation after The Mail reported the personal details of 27,000 customers had been stolen and sold, Reuters reports. The Mail reported a whistleblower notified it of a breach involving customers’ earning data, passport and health details.
In Taiwan, PChome Online has apologized for the “unintentional release of members’ private photo albums via smartphones,” Focus Taiwan reports. The company has not disclosed how many were affected by the breach.
In the U.S., the University of Miami Health System says it has lost “an indeterminate number” of patient records, including Social Security numbers, Miami New Times reports.
And the Nielsen Company has begun notifying an undisclosed number of employees that their personal information may have been compromised after a misspent e-mail.