Network News

X My Profile
View More Activity

Guidance Software Settles With FTC Over Data Compromise

Guidance Software -- the leading provider of software used to diagnose hacker break-ins -- has settled a case brought by the Federal Trade Commission after a database compromise at the company exposed financial and personal data connected to thousands of law enforcement and network security professionals.

Pasadena, Calif.-based Guidance alerted customers to the incident in a letter sent late last year. The company discovered that hackers had broken into a company database and made off with approximately 3,800 customer credit card numbers.

According to the FTC, Guidance violated federal law when it failed to "implement simple, inexpensive and readily available security measures to protect consumers' data. In contrast to claims about data security made on Guidance's Web site, the company created unnecessary risks to credit card information by permanently storing it in clear readable text" [emphasis added].

Two weeks prior to news of the break-in last year, I had met with Guidance CEO John Colbert, who stressed that the company's software was critical in helping corporations know when a break-in had occurred. Unfortunately for Guidance, the company did not discover that hackers had infiltrated its customer database until several weeks after the actual break-in.

Guidance's settlement with the FTC "bars misrepresentations about security measures in the future and requires Guidance to establish and maintain a comprehensive information-security program that includes administrative, technical, and physical safeguards." The settlement also requires the company to obtain an outside audit of its security defenses every two years for the next decade.

By Brian Krebs  |  November 16, 2006; 12:00 PM ET
Categories:  Fraud  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Patches 9 Security Holes
Next: Exploit Released for Unpatched Mac OS X Bug


This is just a taste of the weight the FTC will bring to bear on all public and private sectors when regulation gets passed. The federal government is trying to send a clear message to get your ships in shape *now*.

Posted by: Anonymous | November 16, 2006 3:14 PM | Report abuse

The children of the shoemaker go unshod?

Posted by: kdt | November 18, 2006 10:08 AM | Report abuse

Doesn't say much for their own software if they can't detect a break-in in their own shop! OUCH!

Posted by: rahrens | November 20, 2006 9:19 AM | Report abuse

Actually, Encase is a pretty good product. It is not a network intrusion detection product; it is used for offline inspection of hard drive contents, to recover files, preserve data as evidence, and other investigatory functions. Encase wouldn't have helped detect an intrusion, but it may have helped them determine the scope of the intrusion after it was detected.

The details of the intrusion are not public, as far as I know. Krebs previously reported that it was a compromise of a company database. This could have been the result of something as simple as leaving a weak or default password on a database account, and not protecting the database server with a firewall. The other obvious failures are accounting failures--the big one is that they were storing CVV codes, which is an absolute no-no.

The impact here is the big question mark. There aren't that many Encase customers, but a lot of them (perhaps a majority) are in law enforcement, and law enforcement people don't like having their personal information disclosed. But it isn't clear that what was disclosed included any private information (other than credit cards). Nonetheless, the event may hurt their business.

Then there is the more subtle question of whether systems used to modify product source code were involved in the compromise. If so, the source code would need to be audited; an intruder could have added trojan code to provide a backdoor into any system running Encase. That would be Bad(tm).

Posted by: antibozo | November 20, 2006 9:51 AM | Report abuse

I live in Switzerland. Ever see the movie?,"Dumber than Dumb"

Posted by: Robin Lockhart | November 29, 2006 6:40 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company