How Chooseus Life Insurance lost its customers’ cardholder details and their trust
In August 2019, reporters began flocking to Chooseus Life Insurance’s head office in Detroit after news leaked that thousands of the company’s customers had lost money due to a security breach. The CEO of this life insurance company released the following statement: “We have had your trust for two years. Please give us 48 hours to identify the source of this theft and take the necessary measures to reverse what has happened.”
With all the newly emerging forms of cyberattacks, the source of the attack was difficult to identify right off the bat. From a black hat sitting on the other side of the world to an insider attack or any customer who unknowingly installed malware on their device, the possibilities were endless. And with more customers losing their money, the situation was getting out of hand.
A team of IT security experts hired by the company discovered that Chooseus Life Insurance, a fairly new company in the market, had yet to become fully compliant with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS presses all businesses that accept, process, store, or transmit credit card information to maintain a secure environment in order to protect customers from losing their card details and getting robbed. This security standard requires merchants to protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy.
A glaring issue found at Chooseus Life Insurance was that every employee had unrestricted access to all company data, including sensitive information like cardholders’ details. There was no access control to critical data, which is not compliant with PCI DSS clause 7.1.
After a quick scan, the IT security experts identified the source of the attack—the compromised account of a sales executive. Upon further investigation, they learned that the sales executive had left his laptop open in a hotel lobby while on a business trip, leading to a computer expert with malicious intent to obtain access to his account and the sensitive data. The hacker got the credentials of this sales executive’s account and robbed customers using their cardholder information remotely. This means that anyone could access the confidential data with just the required credentials, violating PCI DSS clause 8.3.2.
This brings us to the question: Are companies around the world aware that they need to fully comply with PCI DSS? Verizon’s 2019 Payment Security Report indicates that 63.3 percent of businesses did not fully comply with PCI DSS in 2018. One of the major reasons for this is that PCI DSS compliance is a very technical subject to understand and gets pushed down the priority list. Some companies that do comply with the standard fall out of it right after an audit.
Organizations need to understand there is a direct link between being PCI DSS compliant and the ability of the organization to defend against cyberattacks. ADAudit Plus helps companies audit and generate reports on parameters like logon success and failure, changes made by privileged users, file access, and file creation and deletion, all of which are important for PCI DSS compliance.
Real-time alerts can make all the difference between a safe network and a breached one. In ADAudit Plus, it’s possible to enable real-time alerts based on customized conditions and thresholds, and deliver the alerts as an email or text message. Additionally, remediation measures can be automatically initiated using custom scripts when a threat is detected.
NOTE: Chooseus Life Insurance is a fictional company.