Security breaches rise in frequency, cost

Payments analysts have noted similarities between Bitfinex and Mt. Gox security breaches. Both incidents involved leading bitcoin exchanges with inherent structural vulnerabilities. Toyko-based Mt. Gox, established in 2010, suffered a series of hacks to its Internet-connected hot wallet that went undetected for several years, resulting in a loss of approximately 850,000 bitcoins valued at $450 million. The company subsequently filed for bankruptcy protection in 2014.

Toronto-based Bitfinex disclosed a $69-million-dollar security breach on Aug. 2, 2016, followed by continuous updates on the ongoing investigation and remediation efforts. The company has engaged blockchain forensics firm Ledger Labs Inc. to investigate the occurrence and recommend security measures. Ledger Labs will also audit the company's balance sheet, including cryptocurrency and fiat asset resources, Bitfinex stated.

Early in the investigation, Ledger Labs identified weaknesses in backend architecture at Bitfinex, according to company sources. Bitfinex operations personnel have already implemented many of Ledger Labs' recommendations and teams from both companies are evaluating data from the BitGo wallet alert system to determine why it failed to react during the heist.

"We have currently suspended use of the BitGo segregated multi-signature wallet solution and have re-implemented robust and safe multi-signature cold storage procedures, with minimal coins exposed on our hot wallet," Bitfinex stated. "We are reassessing our storage options, both internally and with potential third party multi-sig vendors."

Plugging holes, restoring trust

Bitfinex management is currently exploring ways to compensate customers for losses resulting from the security breach. The company is "committed to making our customers whole," and to building a more secure infrastructure to prevent similar attacks. Representatives acknowledged these efforts will take time and money, and thanked customers who continue to trade on their platform for helping to rebuild their brand.

"The biggest issue with bitcoin trading is in the unregulated landscape that enables bitcoin exchanges and resellers to store customer credentials," said a source familiar with the matter. "If you buy bitcoins and the exchange holding your unique key gets hacked, you will lose your bitcoins. No one should be able to buy bitcoins without being able to control their own keys."

Evolving threat landscape

Cybercriminals are increasingly attacking large cryptocurrency exchanges and enterprise-scale merchant environments with multiple outlets. The recent attack at HEI Hospitality LLC, disclosed Aug. 15, 2016, involved malware that infected 20 properties, including Starwood, Marriott, Hyatt and InterContinental hotels between March 2015 and June 2016, according to the HEI website.

Security analysts have speculated that the malware was capable of extracting payment data in real time, including names, account numbers, expiration dates and verification codes; HEI stated it does not store credit card data. The company posted a list of affected properties, frequently asked questions (FAQ) and a toll free support number for affected customers on its website.

"Unfortunately, like many other organizations, we recently became aware that several of our properties may have been the victim of a security incident that could have affected the payment card information of certain individuals who used payment cards at point-of-sale terminals, such as food and beverage outlets, at some of our properties," HEI stated. "We are pleased to report that the incident has now been contained and individuals can safely use payment cards at all of our properties."

Employee fraud is also a prevalent threat to enterprise-scale organizations worldwide. Sage Group, a global provider of software, accounting, asset management and payments services headquartered in the United Kingdom with U.S. offices in Atlanta, recently reported a security breach caused by an unauthorized log-in. The incident may affect up to 300 British customers.

Recommended remedial actions

In a blog post titled "What do you do after a security breach?" www.sage.com/us/Sage-Advice/Articles/18366/2015/8/20/What-do-you-do-after-a-security-breach , Sage noted the rising costs and frequency of data breaches and recommended the following remedial approach:

• Get to work immediately: Waiting to follow mandated procedures may result in further damages and penalties.

• Form a team to address the issue: A cross-functional team, consisting of IT experts, the chief financial officer, public relations departments, third-party specialists and other concerned stakeholders can help companies effectively manage multiple issues.

• Investigate the cause of the breach: Determining the root cause of the issue can help companies respond appropriately.

• Brainstorm and implement solutions: Beyond just patching and fixing, it is important to think ahead and implement preventive measures.

• Follow mandated notifications: Regulatory environments vary across industries and states. Companies need to follow local and federal laws for informing customers and cooperating with law enforcement.

• Be thorough, honest, and educational when you communicate: "Whether the data breach was unavoidable or due to insufficient security measures and human error, be honest with your customers in that you tell them where the breach originated and indicate the steps you have taken," the authors wrote. "You can reassure them by detailing how you're addressing the issue to prevent it from happening again."

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.