About Adam K Levin | Contact | Videos

The Michaels & Fox Data Breaches: Coincidence or Cohesion?Data SecurityBlogPrivacyIdentity TheftTechnology

"Internet Pirate", via Scott Griessel, ThinkStock.

“Internet Pirate”, via Scott Griessel, ThinkStock.

Well, two fascinating—and repellant—things happened in the last few days, which but for the broadest possible subject matter connection, would seem to be unrelated. On May 6, a group calling itself LulzSec hacked Fox Entertainment network computers and released personal information about people from the database of potential contestants for the popular Fox show “X Factor.” Five days later, the same group announced in quite caustic terms that it also had hacked Fox.com computers to gain access to the personal information, including email addresses, of 363 Fox employees. Within a nanosecond or two, the group also had defaced the profiles of 14 of those employees on LinkedIn, a popular business-oriented social networking site (which found and corrected the hackers’ work quickly and efficiently). These announcements were made by the hackers, appropriately enough, on Twitter—one of the most trafficked social networking sites in the universe.

Within those same few days, Michaels Stores—the popular arts and crafts retailers—announced it had discovered that in at least 80 of its stores nationwide, debit card swipe pads had been either swapped out or otherwise tampered with so as to allow debit card numbers and pins to be systematically and routinely stolen. Unlike other attacks of this type, such as the one directed at Stop & Shop in 2007 in which only a few stores located in the New England region were compromised, the Michaels Stores were geographically located all over the country from New Mexico to Massachusetts. Very quickly it was also discovered that the compromised information had already been used to drain the bank accounts of scores of Michaels customers through the use of ATM machines. The process is quite simple really; the information from the bogus swipe pads is collected and transmitted to the thieves, who quickly create equally bogus ATM debit cards, consisting of very little but a piece of plastic with a magnetic strip. It works just like the real thing at an ATM, though. Michaels announced that within two weeks it would replace more than 7,200 swipe pads at all of its stores, and in the meantime would utilize a much slower yet more secure manual method of processing debit card transactions.

Now what do these seemingly unrelated attacks have in common? First, both were cleverly executed. One assumes that Rupert Murdoch is quite sensitive when it comes to security—data security in particular. It couldn’t have been a walk in the park for LulzSec to hack the Fox computers. Similarly, think of the scale of the Michaels attack; it must’ve taken a large number of folks, all of whom had to be reasonably technical, and all of whom were coordinated in a very precise and premeditated way across all those pads in all those stores in all those states. This crime was organized, even if it was not accomplished by organized crime.
On the other hand, think of the profound differences between these two events. There is no indication that LulzSec was attempting to do anything other than send a pointed and disruptive message. There isn’t a hint of a profit motive, and given the nature of their target, one might naturally assume that these folks are a technologically talented band of fellow travelers out to have a little fun at the expense of the Right. In fact, there is no indication of any criminal motive, aside from the fact that what they did was in itself a crime. But the Michaels battalion of attackers could only be it for the money—and to do what they did they must have invested quite a bit up front. Moreover, the methods of the madness were so different from one another.

So why do I connect these two events?

From the time that I was in grade school, I have always been a fan of Sir Arthur Conan Doyle’s brilliant fictional character Sherlock Holmes. I’ve read all the stories. I’ve seen all the movies with Basil Rathbone and Nigel Bruce. I’ve seen all the movies without Basil Rathbone and Nigel Bruce. I’ve seen every episode of every TV series featuring the character, most particularly the ones starring Jeremy Brett, which I find to be the renditions most faithful to Conan Doyle’s original work. One of the things that always fascinated me about the character was not only his brilliant forensically scientific thinking, but also his pithy expressions of complex and enduring ideas. For example:

“But is it coincidence? Are there not subtle forces at work of which we know little?” — from The Adventure of the Blanched Soldier.

Had Sherlock ever lived, and were he alive today, would he not perceive those subtle forces at work in both the Fox and Michaels debacles? That the humans who act on those subtle forces probably don’t know each other and never will has nothing to do with it—the subtle forces are a pervasive part of the modern world in which we live. Whether for prank or profit, the vulnerability of the digital systems on which we—and indeed our entire economy—rely have served to create those forces, just as the sun and the moon create our wind and weather.

My point is really quite simple: new technology brings with it new opportunity, new convenience, and new problems. When asked why he robbed banks, Willie Sutton famously (and probably apocryphally) said “that’s where the money is.” Now the money is everywhere in digital form. Clever thieves don’t need guns. And those thieves are aided and abetted by everyone who hacks databases and publishes private information. As we have often said in this column, once your personal information is out there, it’s OUT THERE. So while LulzSec and the Fox breaches likely played no role in the Michaels fraud, whatever the motives of LulzSec may be, they are potential enablers of for-profit criminals, identity thieves who grab every piece of personal data that they can, correlate various bits of information from different sources, and thereby make their attempt to perpetrate fraud more sophisticated and more likely to succeed.

The digital world has made mincemeat of coincidence. The attacks on Michaels and Fox are part of the suddenly obvious zeitgeist of exploiting data vulnerability—for whatever purpose. And everyone who does it helps everyone else to do it, sooner or later, for better or worse. Right now, the only countermeasure we have is to remain cautious and vigilant, individually and as a society. If you check your bank account online every day, you can’t be too harmed at an ATM machine, given the ubiquitous daily limits on cash withdrawals. And Michaels, which no doubt has a security department, needs to get on the stick and work with law enforcement to prevent further compromises, and to design systems and procedures to more effectively protect their customers from problems like this in the future.

As another favorite fictional character of mine once said: “Keep watching the skies.”

Note: Regarding the moniker LulzSec—I’ve spent all week trying to figure out the meaning of that abstruse name, and all I know is that “lulz” is Internet slang for laughs, and according to the group’s twitter page, LulzSec stands for “The Lulz Boat.” Maybe Gavin McCloud is behind this?

Originally posted at Credit.com.