Organizations shouldn’t ship data to a third party for processing that includes sensitive subscriber credit card and verification numbers, says a Canadian IT security expert.
“There’s absolutely zero reason for a third party to have access to credit card numbers unless they are a payment processor,” Michael Ball, a former CISO for Canadian organizations who has held several IT security roles.
As a best practice, Ball said, credit card data should be tokenized — that is, substituted with non-sensitive data in the form of an encrypted token. The token can still be used for playing around within an application, but the data it represents can’t be exploited.
The Payment Card Industry (PCI) standard for handling credit card data doesn’t allow the transfer of real payment card information to third parties, he added.
Ball was speaking after Freedom Mobile acknowledged Tuesday that a third-party processor called Apptium Technologies had not adequately protected a database the carrier sent the firm “to streamline our retail customer support processes.” Data on 15,000 customers “was exposed as the result of a misconfigured server” by Apptium, the carrier said.
Headquartered in Virgina with offices in several cities including Mississauga, Ont., Apptium sells a platform that enables organizations to improve dealings with customers. Telcos are among its target market, with customers including Canada’s Allstream.
Apptium couldn’t be reached for comment by press time.
According to security researchers with a company called vpnMentor who broke the story, the open and unencrypted database included customer names, email address, home and mobile phone number, home addresses, dates of birth and credit card and card verification numbers. In an email vpnMentor said the database was accessed through an open port.
The researchers thought there was data on 1.5 million customers, but the carrier said it was 15,000.
Those affected are customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations between March 25 and April 15, and any customers who made changes or opened accounts on April 16.
Third party risk
The risk of third parties being a source of security incidents came to the fore after the 2013 breach of U.S. retailer Target, when hackers got into the company’s system through a heating and ventilation contractor that had online access.
Since then Ball said, organizations have learned to review the IT security policies of third parties, possibly obliging them to either go through or show evidence of penetration tests to prove their readiness. Service contracts should include penalties for misusing data.
Asked how a primary data provider can assure itself that anyone — employee or third party — doesn’t make mistakes handling data that result in a security incident, Ball said every organization must have processes in place, including checklists for who can access data and how. “There should be a number of ways that would protect data from open Internet access,” he said. “There is no reason for this data to have open Internet access.”