Data Breach Could Test Massachusetts Law

UPDATE: The Massachusetts Attorney General has been notified that financial data on 1,800 residents were exposed in a database breach linked to CitySights NY, a sightseeing firm. The case could set the stage for enforcement of the State’s nine month-old data privacy law.

Mass lawUPDATE: The Massachusetts Attorney General has been notified that financial data on 1,800 residents were exposed in a database breach linked to CitySights NY, a sightseeing firm. The case could set the stage for enforcement of the State’s nine month-old data privacy law.Financial data on 1,850 Massachusetts residents was among account information for 110,000 customers stolen from servers belonging to Twin America LLC, the parent company of CitySights NY, according to Amie Breton, Deputy Press Secretary in the Office of Massachusetts Attorney General Martha Coakley.

As Threatpost reported yesterday, Twin America has disclosed that it was the victim of a SQL injection attack on a CitySights Web server that provided unknown assailants with access to the company’s customer list, including names, addresses, credit card account and CVV2 (card verification value) data.

The breach, which occurred in September, was discovered by a Twin America Web programmer in October and came to light when the company’s attorney wrote letters to states’ attorneys general disclosing the breach. A copy of the attorney, Theodore P. Augustinos’, letter to the Attorney General of New Hampshire, dated December 9, was published online. Approximately 300 of the victims were New Hampshire residents.

A call from Threatpost to the Massachusetts Attorney General’s office confirmed that Coakley’s Office received a similar letter on December 10, specifying that 1,850 victims were Massachusetts residents. 

The case could be a test of Massachusetts’ new data privacy law, known as 201 CMR 17. That law, which took effect on March 1, 2010, is one of the toughest in the nation, addresses the misuse of personal data by both individuals and companies and third party providers that store, collect or use personal information, including name, social security, driver’s license number or financial information on Massachusetts residents – regardless of whether those organizations are based in or have offices in the state.

The Massachusetts Attorney General has not yet made any moves to enforce the law, nor has it given much guidance on what kinds of enforcement actions may be pending, said Cynthia Larose of the law firm Mintz, Levin, Cohn, Ferris, Glovsky
and Popeo, P.C.

“We’ve been trying to engage folks from the (Attorney General’s) Office on what their thinking is and there’s been no comment,” Larose said. “I think they’re waiting for the right matter to come along.” The CitySights case may be just such a matter, Larose said.

Among other things, 201 CMR 17.00 requires organizations that store personal information on Massachusetts’ residents to encrypt personal information at rest – in databases, servers, laptops, desktops, mobile devices. Data transmitted over wired or wireless networks also must be encrypted.

Attorney General Coakley’s Office said it doesn’t confirm or deny investigations and it is not clear whether there were any violations of 201 CMR 17 in the CitySights case. However, it appears the possibility of cases being brought under 201 CMR 17 or similar state laws at least occurred to Twin America. The letter sent from Attorney Augustinos of Edwards Angell Palmer & Dodge to New Hampshire Attorney General Michael Delaney notes, specifically, that the compromised database did not contain “Social Security numbers, drivers’ license or other state-issued identification or other personal information” – all types of personal information called out in the Massachusetts law. 

Larose said that, while Twin America/CitySights attorneys may be hoping to slip under the radar, the combination of Massachusetts residents’ name with the credit card number is enough to put the company on the wrong side of 201 CMR 17.

“It would seem to be a  matter that would be ripe for further investigation,” LaRose said.

Among the questions the Attorney General’s Office would want to answer was whether Twin America had a written information security plan (or WISP) as required by the Massachusetts law. If the Attorney General’s Office does deside to pursue the matter, LaRose said that attorneys in state and around the nation would be looking for what  kind of case they bring forward.

For example: the Attorney General might decide to pursue CitySights for violations of the State’s consumer protection laws (Massachusetts General Laws Chapter 93A) or to  made inaccurate claims to customers about how they would protect their data, or to pursue the company for specific violations of 201 CMR 17. Whatever the case, some action would be welcomed by the legal community by helping to clarify the Attorney General’s interpretation of the scope and force of the new law, LaRose said.

Twin America’s attorney did not immediately respond to requests for comment on the case.

Federal privacy legislation has been on the back burner on Capitol Hill for years, and this year’s 111th Congress will adjourn without meaningful reform. In recent days, both the Federal Trade Commission and the Department of Commerce have called on the U.S. to improve privacy protections for consumers. The FTC released a report (PDF) dubbed “Protecting Consumer Privacy in an Era of Rapid Change” on December 12.  That report included a call for a “Do Not “track” mechanism for Web browsers, among other changes. The Department of Commerce issued a similar call for a privacy “Bill of Rights” that would replace a universal federal law with industry-specific rules negotiated with commercial players and with input from the DOC and FTC.

Suggested articles

Discussion

  • Anonymous on

    I thought merchants weren't supposed to store the CVV2 number, even encrypted.  (VISA, Rules for Visa Merchants)

     

  • Anonymous on

    Forget Massachusetts law...I wonder what the Federal PCI repercussions will be?

    They can fine you per breach, meaning this incident could bankrupt a company.

  • Anonymous on

    Failure on the coder's part.  Do they not know that using bind parameters will prevent SQL Injection?  I smell broken window syndrome here...

    Failure on the BA's part.  You are NOT allowed to store the CVV2 information, encrypted or not, learn to read your PCI compliance people.

    These guys should be fined, and the coders and BA's fired.

  • Anonymous on

    It would have been nice if the lawyer from the Attorney General's office had read the regulation which defines personal information as:

    "Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public."

    Pretty clearly, name plus account number is all that is required.  My mind is boggled by the failure of government employees to actually know what they are talking about.

  • Jack Daniel on

    "My mind is boggled by the failure of government employees to actually know what they are talking about."

    Pay attention to the Mass AG's commentary and actions on 94H and 201 CMR 17.00 and you will grow sadly accustomed to this.

    My immediate question is abotu violation of the breach disclosure law, 93H- were Mass residents notified as required by 93H?  If not, that could really bring this company into the MA AG's crosshairs.

     

  • Jack Daniel on

    Sorry, typo on my last comment, I meany 93H, not 94H...

     

  • Anonymous on

    First, 201 CMR 17 is a set of regulations associated with MA's data breach law (93H), not a standalone law. Second,  PCI is an industry standard, not a Federal law.  So CitySights is going to get hit from 2 totally different directions - Visa/MC etc,  and x-number of AGs with state data breach laws.  The fact that MA AG has been notified suggests that CitySights is getting good legal counsel.  MA AG may coord with other states, as they did with TJX, re: any investigation and fines.

  • Eugene Tyrrell on

    A couple of comments:

    1) They should not be storing CVV code. Major violation. If they are making such a blatant miscue I can only imagine what other 'worst practices' are being employed. 

    2) I believe I have a correction to the author but am open to other opinions.

    The author states:

    201 CMR 17.00 requires organizations that store personal information on Massachusetts' residents to encrypt personal information at rest - in databases, servers, laptops, desktops, mobile devices. Data transmitted over wired or wireless networks also must be encrypted.  

    To the best of my knoweledge - 201 CMR 17.04 does not require encrytpiion on servers, databases and desktops. It focuses on data in transit over public or wireless networks and mobile devices. See 17.04(3) and 17.04(5).

    I have had vendors lump this all together in attempt to make a sale but the standards I have read do not mandate this. Thanks

     

  • Irv on

    MA 201 CMR 17.00 is a Joke!

    There is VERY LITTLE compliance - even, or especially, with law firm offices (who "should" know better).  And, the AG office, who is supposed to be responsible for compliance with the new regulation, is not doing much, if anything, to force compliance.

    When the compliance date passed, I was waiting for the AG office to do something to at least check to see if anyone is in compliance.  Hand out a heavy fine, publicize it, and then - maybe - people would take it seriously.

    At first, I thought it was because the AG was running for office.  But it's been a LONG time since the compliance date and she didn't win the seat.

    A law, on a piece of paper, doesn't do much to protect personal identity.  Let's all just wait for another TJX incident - then, maybe, the AG or the governor 'might' do something. (doubt it)

     

  • Anonymous on

    Your comments on encryption are wrong and misleading, you only have to encrypt across public networks (wired and wireless) and on laptops or personal devices (17.04.3 and 17.04.5) encryption of databases is not required. Only adequate and reasonable controls. Please get facts right when posting an opinion as fact and misleading at that. This kind of information could be damaging to Security Professionals if they quote you as fact.

  • Markiyan on

    According to the PCI DSS standards CVV/CVV2 data that is on the back of the card (front for Amex) is never allowed to be stored after the card is run. It doesn't matter if the data is encrypted or not, it's not allowed to be stored at all in any facet.

    This is what happens when you leave sensitive data in the hands of someone who is not equipped to protect it and I think it's important to point out that there are numerous solutions out there that offload this responsibility on the credit card processors and greatly reduce the possibility of this type of breach.

    For example, tokenization takes a credit card number/transaction and assigns a non sensitive number to it that is useless if stolen. This gives the user the ability do all the functions they could ever need like reporting or running refunds without having to hold onto the credit card data and risking getting compromised.

  • Anonymous on

    PCI is not a Federal regulation, it is an industry regulation.  Although they have certainly committed a crime in not protecting the data, they have absolutely not violated a "PCI Law".

    Also, encrypting your data in a database doesn't generally protect against SQL injection attacks.  With SQLi you are able to abuse the application and get it to return information for you that you should not have access to, and since the information displayed back to a user is always done so in an unencrypted format, the database encryption aspect is meaningless.

    Use parameterized SQL statements or stored procs, simple enough...

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.