When a few dozen journalists gathered in Toronto last September for a one-day professional development seminar, they didn’t expect the event on topics like interviewing and filing freedom of information requests to result in some of them having their own personal information stolen.
But the Canadian Newspaper Association (CNA), last week, sent a notice to attendees at the annual Wordstock seminar (2007) warning that it had discovered an intrusion into its computer servers.
CNA co-sponsors the seminar with the Ryerson Journalism Alumni Association.
Credit-card data submitted to pay for Wordstock registration may have been compromised, the association said, and advised attendees to cancel credit cards they used to pay for their attendance.
The details of the breach are sketchy. The Canadian Newspaper Association isn’t talking to the press about the server break-in.
“We’re not doing interviews,” said Susan Down, the CNA employee named as a contact on the warning e-mail sent to Wordstock attendees who paid with credit cards.
As is probably obvious, this reporter attended Wordstock and paid with a credit card, and thus received that notice.
It is possible this is a coincidence, but that credit card was cancelled about two months after Wordstock, when Visa Canada spotted a fraudulent purchase.
“As a precaution, we recommend that you cancel any credit card you used to pay for Wordstock,” the CNA notice advised.
“For your additional protection, you may also consider contacting credit-reporting agencies to put a fraud alert on your file. The fraud alert will let banks and other organizations know to take additional steps to verify your identity before granting any credit in your name.”
The memo goes on to provide contact information for major credit-reporting agencies.
The organization said it has notified the police and will work with them to identify those responsible, and is “conducting a full investigation of the breach with the assistance of our Web services providers and other computer security professionals.”
The memo also says the CNA is “working diligently to further enhance its computer security protocols.”
There is no information on how many people were affected.
Not all Wordstock attendees paid online using a credit card.
One other attendee contacted said he paid by cheque. A significant number probably had their registration fees paid by their employers.
The CNA also sponsors other events such as a national conference and the Canadian Newspaper Awards gala.
There currently appears to be no online registration option for either event on the CNA’s Web site, but the archived program for the 2006 conference included an online registration option.
Security experts said the incident was preventable.
Having proper security systems and policies in place could have prevented the intrusion, said Derek Manky, a Vancouver-based security research engineer with Fortinet Inc., a Sunnyvale, Calif.-based maker of security systems.
He said such breaches often result from failure to keep up with security patches, from uneducated employees falling prey to phishing attacks, or from lack of proper firewall and intrusion detection systems.
Tom Slodichak, chief security officer at WhiteHat Inc., a Burlington, Ont., security firm, said the credit card data shouldn’t have been kept unencrypted on the server in the first place.
Security standards published by the Payment Card Industry Security Standards Council about two years ago say merchants shouldn’t store their customers’ credit-card numbers unless they will be used for repeating payments, such as subscriptions paid every month, Slodichak says.
And when credit-card numbers are stored, the standards say they should be encrypted.
Unfortunately, he said, not everyone is compliant with the standards to date. But they should be. “As soon as you undertake to take that form of payment, you’re bound to protect the cardholder.”
David Perry, global director of education at security software vendor Trend Micro Inc. of Cupertino, Calif., said even more could be done to guard against improper use of credit-card data, such as adding further layers of authentication.
In Poland, Perry said, any online transaction triggers a call to the buyer’s mobile phone to verify the transaction.
“This kind of data theft is predicated on the fact that we’re using 20th-century technology to protect 21st –century data,” Perry commented.
Perry said small to medium businesses and organizations with limited security expertise in-house should steer clear of trying to run online systems that deal with sensitive data, and turn to hosting services or value-added resellers who have the specialized knowledge to protect the data properly.
New threats and vulnerabilities are constantly emerging and it is next to impossible for small organizations without in-house security expertise to keep up, said Perry. “It’s like the Red Queen said to Alice,” he said, referring to Lewis Carroll’s Alice in Wonderland. “It takes all the running you can do to keep in the same place.”