Network Solutions had an IT Security incident in June this year that compromised more than 573,000 credit and debit cardholders. In what is becoming a very regular post incident debate the issue being asked is – Do certifications such as ISO27001, PCI really beef up IT Security in companies?
First Network Solutions
In a statement the company says that during the ordinary course of business it “identified unauthorized code on servers supporting some of our E-Commerce merchants’ websites. We promptly removed this code, and all of our E-Commerce servers are functioning properly. No servers supporting networksolutions.com were affected.”
The company then goes on to admit that after conducting analysis with the help of external experts “we determined that the unauthorized code may have been used to transfer data on certain transactions for approximately 4,343 of our more than 10,000 merchant websites to servers outside the company.
Those experts informed Network Solutions on July 13th that this data may have included credit card information, and may have captured transaction data from approximately 573,928 card holders”. Network Solutions adds that it has “notified law enforcement and are working closely with them on the investigation.”
“At this point, we have no reports or other reasons to believe that any credit card account information has been misused and, under established practice, credit card issuing companies generally will not hold our merchants’ customers liable for any fraudulent purchases made using their credit card account numbers that are reported in a timely way to the issuer” a Network Solutions spokesperson says before adding “If you have a merchant account with Network Solutions then you are being encouraged to visit a website established by the company with further information at: www.careandprotect.com”
The effect of this breach is difficult to assess as no further information on the extent of misuse using such stolen information is available.
Given the sketchy details about the incident itself, it is hard for us to comment on what went wrong…but one thing did go wrong for sure… – Network Solutions was PCI Compliant.
That brings us to the question, do these certifications really help. We have seen a spate of security certifications such as ISO27001, PCI Standards and so on, but at the ground level, security incidents seem to continue unabated.
Unless security certifying agencies and standards develop benchmarks for assessing the extent of security awareness and training to end users in organisations, we may continue to see more such incidents in the foreseeable future.