Cottoning on to security

The facts: In June it emerged that casualwear
retailer/cataloguer Cotton Traders had suffered what it termed a
“security issue” in January. Fraudsters had hacked
into its website and gained access to encrypted credit-card data.
Multiple news sources reported that some 38,000 customer records
were compromised; Cotton Traders dismissed that figure as
“widely inaccurate”, though it has so far refused to
provide another figure.

Cotton Traders, which had a turnover in excess of £68
million last year, said that it called in industry experts to
resolve the problem as soon as it learned of the breach. The
company also said in a statement that following the breach it
upgraded the security of its website.

“Cotton Traders is a perfect example of why online
businesses need to secure their website and protect customers
online,” said a spokesperson for Verisign, whose Thawte SSL
certificate is displayed on the Cotton Traders site. SSL, or
Secure Sockets Layer, is a commonly used protocol that encrypts
sensitive data, making it more difficult for hackers to use the
information should they succeed in breaching the site. Cotton
Traders has said that the data were encrypted at the time of the
breach, and a screen shot of the home page from 13th August 2007,
as shown on the Internet Archive website (www.archive.org),
displays the Thawte “Secure Site” logo.

The buzz: Cotton Traders was the focus of much
analysis in the blogosphere once the news broke. Most
commentators felt the company should have done more to prevent
the breach-or at least should have been more honest about it.

Dave Whitelegg, who writes the IT Security Expert blog, commented
that Cotton Traders was using a lot of “smoke and
mirrors”, keeping the breach a secret from customers and
declining to confirm the extent of the damage. Another blogger,
from the Liquidmatrix Security Digest, expressed his surprise at
how long it took for Cotton Traders to disclose the breach.

By declining to provide additional information about the
incident, Cotton Traders may be hoping that the public will
forget about it. But the company’s silence could backfire, by
inflaming consumers, who will spread their opinions virally
throughout the internet. As Andy Barr of PR firm 10 Yetis,
himself a Cotton Traders customer, wrote on his company’s blog,
“I have yet to receive a communication from Cotton Traders,
which worries me slightly, and shows that they maybe have their
head buried in the sand a bit? Cotton Traders should be out
there, engaging with the media, explaining what happened and
reassuring its customers.”

What it means to you: “Fraudsters are
random,” said Ian Glanville, vice president of consulting
for secure-transaction specialist Logic Group, but what happened
at Cotton Traders was by no means an isolated incident.
“Attacks such as this happen all the time,” said
Glanville, who does not believe Cotton Traders was negligent.
“It’s how to prevent a breach that counts.”

Working to achieve compliance with the Payment Card Industry Data
Security Standard (PCI DSS) is vital, the experts agree. The
Logic Group estimates that only 15-20 percent of retailers are
compliant but that the majority are working toward meeting the
standard.

Other advice includes storing as little data as possible and
encrypting whatever data you do keep; being sure you understand
the flow of data in your organisation; addressing application and
network vulnerability; and improving security awareness within
your company.

But although “putting all the security measures in place
makes a breach less likely,” Glanville said, “you
will never remove the possibility of attack.” As for the
Cotton Traders website, he described its upgraded security
measures as “sadly, a case of closing the stable door after
the horse has bolted”.

Related Posts