According to databreaches.net, StudentCity.com — a student travel company that specializes in spring break vacation for US college students, according to their site — notified the NH Attorney General’s Office over a data breach. What attracted my attention is that they’re claiming that credit card information that was protected with encryption was broken in some cases.
266 in NH Affected
StudentCity knew something was up on June 9, 2011 when I assume people started to call in to complain:
StudentCity recognized…that it was beginning to receive a pattern of reports from a very small number of students that credit card accounts that were used for purchases…..were subsequently being used to conduct fraudulent transactions.”
According to the letter sent to the NH AG, a database was affected and contained the following: names, credit card numbers, and passport numbers; however, they emphasized that the credit card and passport information was not in the same record for the majority of the cases.
StudentCity also detailed future plans regarding data security. They will not collect credit card information going forward (it will be done by a specialized processor) and password numbers will be stored after applying strong encryption on the data. (I guess the implication is that the passport information was not encrypted until now.)
A total of 266 New Hampshire residents were affected, although the bigger question remains: how many were affected in total?
Credit Card Information was Stored in Encrypted Form
One of the more eyebrow-raising aspects of this story is that the hackers were somehow able to crack the encryption used to protect the credit card numbers in certain cases.
Under PCI-DSS, any credit card numbers that are stored by a merchant (something that a company has to do if their business is based on recurring billing, such as your wireless phone provider) must be encrypted. AlertBoot, for example, keeps any such information protected with AES-256 encryption.
Now, what’s stupefying is not the fact that encryption was broken. As detailed elsewhere in this blog, encryption can be broken given enough time; that’s why you want to be using strong encryption, where “enough time” is counted in decades if not centuries.
Based on what I’m reading, I’ve got to assume that a weak form of encryption was used. I guess this is a good time to remind everyone that not all encryption is created equal.
Due to advances in technology was well as data security theory (and research in general), what was once secure will indubitably become anything but. This is why, for example, DES (Data Encryption Standard), a once widely-used encryption algorithm is not used to secure anything worth securing.
In fact, it was replaced by AES (Advanced Encryption Standard), which is offered in AlertBoot disk encryption (in 256-bit form).