The breach, discovered in June, was the result of hackers planting rogue code on the company's Web servers used to host mostly small online stores, intercepting financial transactions between the sites and their customers. No further explanation of how the rogue code made its way onto the company's servers was available from Network Solutions. When asked, Susan Wade, Network Solutions communications representative says "Not at this time. Because of the ongoing law enforcement investigation, we aren't able to release that information."
Compromised data was captured between March 12 and June 8, 2009, when the breach was discovered, says Wade.
The last PCI assessment and certification of Network Solutions' networks was completed on October 31, 2008, says Wade. The firm that performed the assessment was the Payment Software Company, a San Jose, CA-based qualified security assessor company.
The 4.343 ecommerce merchant customers were notified of the breach on Friday, July 24, via an email and a letter sent via US postal service, Wade says. Network Solutions provides service to more than 10,000 merchant websites. The ecommerce customers are mainly small businesses, mostly "Mom and Pop" type retailers spread geographically across the country. Wade says that Network Solutions has offered them help in contacting their affected customers. Of the compromised data, no fraud has been reported thus far by the four major credit card brands, Wade notes.
Network Solutions has hired TransUnion, a credit reporting agency, to work with it on behalf of its merchants, to contact their customers whose data may have been affected. Affected merchants can visit www.careandprotect.com, the website Network Solutions set up for them to get more information.
PCI Security Council Weighs In
Just because a company has passed its compliance validation, it doesn't mean that the need for vigilance of security measures should stop, says PCI Security Standards Council General Manager Bob Russo. As for whether Network Solutions was PCI-compliant at the time of the breach, Russo notes, "Until a forensics investigation is completed, an organization can not comment accurately on its compliance status."
The announcement a data breach at Network Solutions underscores the necessity for ongoing vigilance of an organization's security measures, he adds. "Security doesn't stop with PCI compliance validation. As the Council has said many times, it is not enough to validate compliance annually and not adopt security into an organization's ongoing business practices," Russo states. A card data environment is under constant threat, so businesses must ensure their safeguards are also under constant vigilance - "monitoring and where necessary, ongoing improvement. A layered approach to security is absolutely necessary to protect sensitive payment card data - without ongoing vigilance or a comprehensive security strategy, organizations may be just a change control away from noncompliance," he says.
Validation to the principles and practices mandated in the PCI DSS plays an integral part in an organization's security posture, but basic monitoring and logging cannot be set aside after a security assessment is complete, Russo stresses. "Reports by forensics companies suggest that this is an area of weakness among organizations," he says. "An intrusion need not result in card data compromise if an organization is following the 12 guiding requirements of the PCI Data Security Standard."