Welcome to This Week’s [in]Security. This week: UK has experienced 41 breaches a day, Google+ (again), Facebook photo faux-pas, a medical record dump, Equifax breach report, and follow-on for Starwood and TicketMaster. Canadian payment study out, a massive bomb hoax, wrong thinking, cyber-security scores, another country fines Facebook, more on encryption back-doors, half of cloud db's are not encrypted, and criminals building their own guns.
Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.
PCI Compliance and Payments
News and announcements relating to Payment Security, Payments, PCI, and Card Brands.
Breach notification emails are now arriving in inboxes across the planet. The impact to companies that have people travel on business is impressive (just as an example more than 40% of our staff have received one). The information is also available https://info.starwoodhotels.com (which redirects to https://answers.kroll.com/)).
As of August 2017 Equifax was listed as being PCI Compliant with a due date of August 31, 2017 (per archives of card brand compliance registries)
Their 2016 assessor company left the business sometime in 2017 and so they were presumably working with another company (per archives of PCI approved QSA company lists)
The breach was announced in early September 2017 (per report)
Stunningly, the government breach report contains the following on page 80: "Equifax was in the process of making the ACIS application Payment Card Industry (PCI) Data Security Standard (DSS) compliant when the data breach occurred"