Guidance turns investigative tools on itself

The forensics software firm says it was compromised by hackers in November. It's just one in a growing list of companies admitting to recent attacks or lax security.

Yet another company this week added its name to the litany of firms that sent out data breach notifications in 2005. But this time, the victim was a security vendor that failed to thwart hackers from stealing thousands of customers' credit card data -- including verification codes that should have already been deleted.

"A person compromised one of our servers," Pasadena, Calif.-based Guidance Software Inc. CEO John Colbert told CNET News.com yesterday. The company is best known for its popular EnCase line of digital forensic tools. "The incident…highlights that intrusions can happen to anybody and nobody should be complacent about their security."

Published reports indicate hackers accessed credit card data on 3,800 Guidance customers, comprised primarily of law enforcement personnel and security professionals. Stolen data included names, addresses and card verification codes found on the back of credit cards to prevent fraud. Such codes are supposed to be deleted after each completed transaction, according to Visa and MasterCard merchant guidelines.

The company elected to notify all 9,500 customers and called in the U.S. Secret Service to investigate the attack that occurred in November. It was discovered Dec. 7, and letters were sent to customers the following week.

For more information

Opinion: 'The rise of dataflation'

CardSystems admits stolen data violated policy

Laptops lifted right under corporate noses

The stolen information apparently already is in use. Michael Kessler, president of the New York-based investigative firm Kessler International, reported receiving a $20,000 American Express bill for bogus online advertising charges almost immediately after receiving a notice from Guidance in the mail.

Kessler criticized Guidance for using postal mail, rather than e-mail. Colbert defended the company's communications mode in the press as the quickest means, given the customer e-mail list was incomplete.

Guidance isn't the only firm having a bad week because of a data disclosure. This weekend Chicago-based LaSalle Bank Corp. reported a tape containing confidential data on 2 million residential mortgage customers was lost in shipment by a Texas-bound DHL International carrier. The tape contained Social Security numbers and account information belonging to customers of ABN AMRO Mortgage Group Inc. The company has begun notifying victims.

These latest lapses bring to a total 53.7 million consumers victimized by thieves since February, when Alpharetta, Ga.-based data broker ChoicePoint Inc. was forced to inform 145,000 impacted citizens that conmen had duped employees into turning over their confidential files. The number was revised to 167,000 revised when the company filed its annual SEC report this year.

Among the year's biggest security breaches was Charlotte-based Bank of America Corp. losing an unencrypted backup tape with private information on 1.2 million customers -- many of them government credit card holders. Hackers made off with debit, check and credit card information on 1.3 million customers of shoe store retail chain DSW, headquartered in Dublin, Ohio. And Atlanta-based CardSystems Inc. was forced to admit it was hacked and 40 million credit card transactions it should never have held onto were stolen.

In addition numerous university and hospital systems lost control of their customer and employee data through laptop thefts and network and server hacks, according to the San Diego-based Privacy Rights Clearinghouse Web site.

Read more on IT risk management