Computer forensics firm Guidance Software has itself become the subject of a hack attack, prompting warnings to its clients in law enforcement and computer security that their financial details may have been exposed.

In a letter sent out last week, Guidance warned its customers that a November attack on its databases might have exposed details of its approximately 3,800 credit cards. Guidance stored customer credit details on an unencrypted database along with card value verification (CVV) numbers, a violation of merchant guidelines issued by both Visa and Mastercard. The names, addresses and telephone numbers of clients were also exposed.

New York-based computer forensics firm Kessler International, a Guidance Software client whose payment details were exposed as a result of the breach, uncovered $20,000 in unauthorized charges on its AmEx account following the attack, the Washington Post reports (http://www.washingtonpost.com/wp-dyn/content/article/2005/12/19/AR2005121900928.html). The full scope of losses remains unclear. Guidance has called in the US Secret Service to help investigate the attack.

John Colbert, Guidance's chief exec, told the paper that it notified clients two days after uncovering the security breach. Following the attack, Guidance has decided to stop storing customer credit card details (a policy change that invites the question why it held those details in the first place, we'd note).

"This certainly highlights the fact that intrusions can happen to anybody and that nobody should be complacent about security," Colbert said. California-based Guidance Software was obliged to disclose the attack under the state's information security disclosure laws. News of the breach has prompted tough questions about why Guidance violated basic security guidelines on the processing of credit card details. The firm touts its ability of its EnCase software to merge computer forensics analysis with incident response yet it took it almost two weeks to detect an attack on its own systems.

Guidance cites the ongoing investigation into the attack as its reason for declining to discuss the implication of the attack. The assault on Guidance Software follows a whole bevy of internet security breaches involving major US corporations including data mining firm ChoicePoint, payment processing firm CardSystems Solutions and others over recent months. ®

Related stories

Mobile forensics turns up heat on suspects (11 February 2007)
http://www.channelregister.co.uk/2007/02/11/mobile_forensics_guidance/
Security firm Guidance settles FTC breach charges (17 November 2006)
http://www.channelregister.co.uk/2006/11/17/ftc_guidance_negligence_rebuke/
Ohio child hospital hack exposes 230,000 files (30 October 2006)
http://www.channelregister.co.uk/2006/10/30/ohio_hospital_hack/
Malware targets security research tool (6 July 2006)
http://www.channelregister.co.uk/2006/07/06/gattmann_virus/
Science you can sniff at? (12 May 2006)
http://www.channelregister.co.uk/2006/05/12/animal_detection/
FTC settles with CardSystems over data breach (27 February 2006)
http://www.channelregister.co.uk/2006/02/27/ftc_settles_with_cardsystems/
Boston Globe in clueless security breach (2 February 2006)
http://www.channelregister.co.uk/2006/02/02/globe_data_security_breach/
ChoicePoint fined $15m over data security breach (27 January 2006)
http://www.channelregister.co.uk/2006/01/27/choicepoint_ftc_settlement/
CSI in computer forensics gaffe (18 November 2005)
http://www.channelregister.co.uk/2005/11/18/csi_forensics_gaffe/
Consumers punish firms over data security breaches (15 November 2005)
http://www.channelregister.co.uk/2005/11/15/data_security_breach_survey/
UK.biz urged to swot up on computer forensics (27 September 2005)
http://www.channelregister.co.uk/2005/09/27/computer_forensics_guide/
NY enacts security breaches disclosure law (12 August 2005)
http://www.theregister.co.uk/2005/08/12/ny_security_breaches_disclosure/
The CardSystems blame game (8 August 2005)
http://www.channelregister.co.uk/2005/08/08/cardsystems_blame_game/
Visa cuts CardSystems over security breach (19 July 2005)
http://www.theregister.co.uk/2005/07/19/cardsystems/
How much does a security breach actually cost? (15 July 2005)
http://www.theregister.co.uk/2005/07/15/who_pays_for_security_breaches/
California aims to close loophole in state ID theft law (22 June 2005)
http://www.channelregister.co.uk/2005/06/22/california_id_theft_law_update/
MasterCard fingers partner in 40m card security breach (18 June 2005)
http://www.theregister.co.uk/2005/06/18/mastercard_breach/
Right of Reply: LexisNexis (19 April 2005)
http://www.theregister.co.uk/2005/04/19/lexisnexis_data_response/
LexisNexis data breach far worse than reported (13 April 2005)
http://www.theregister.co.uk/2005/04/13/lexis_nexis_loses_more_data/
Big company, crap security (8 March 2005)
http://www.theregister.co.uk/2005/03/08/big_company_security_breaches/
Cybersleuths track Dame Porter’s millions (4 August 2004)
http://www.theregister.co.uk/2004/08/04/vogon_traces_porter_dosh/
Computer Forensics conference line-up finalised (6 February 2004)
http://www.theregister.co.uk/2004/02/06/computer_forensics_conference_lineup_finalised/