State-Based Australian Government Entity

Higher level of PCI accreditation prompts credit card assessment

There are clear rules around the management of sensitive data, set out by the Payment Card Industry (PCI) regulation. This is split into different levels, based on the volume of card transactions. When this department’s transaction volume exceeded six million per year, they were required to move from level 2 to level 1. Credit Card Cleanup Project Manager at the Government Entity explains further: “Whereas our level 2 compliance mainly relied on self-assessment reports, level 1 involves external audits through qualified assessors, as well as quarterly network scans by approved scanning vendors. To achieve level 1 accreditation, we needed a much clearer view of our data so that we could provide evidence to an auditor. Our main data repositories were email with Microsoft 365 Outlook shared mailboxes, network drives, and OpenText Content Manager, which we leverage as our electronic document and records management system (EDMRS).”

This came at a time when security breach alert levels were high in Australia. A couple of high-profile data breaches had affected an estimated two thirds of all Australian adults personally. When people are personally affected by a security breach, this tends to heighten overall awareness, and professional environments were closely examined to assess their risk.

We recommended Voltage Fusion, designed to identify all sensitive data across a variety of repositories. This discovery solution provides visibility over vast data estates, across many data silos.

Voltage Fusion exposes sensitive data worth AUD$200 million in the wrong hands

The organization turned to our trusted OpenText Cybersecurity MSSP, WyldLynx. Carl Duncan, General Manager at WyldLynx, comments: “We recommended Voltage Fusion, designed to identify all sensitive data across a variety of repositories. This discovery solution provides visibility over vast data estates, across many data silos. Our client’s team was a fan of Content Manager and trusted Micro Focus (now OpenText) solutions. Voltage Fusion is underpinned by AI-driven OpenText IDOL, which is well-known in the globally for its proven track record in data discovery. The client was confident that Voltage Fusion, coupled with our implementation expertise, could support the data discovery process.”

The goal was to find all credit card patterns and remove any data relating to current and valid credit cards, to demonstrate compliance to a PCI-qualified assessor. “The client was really not expecting us to find worrisome volumes of sensitive data at all,” says Duncan. “In fact, the plan was to manually manage the sensitive data that would come to light. However, much to everyone’s surprise, within half an hour of starting our scan with Voltage Fusion, we were finding large volumes of credit card data within the email Exchange system, as well as on the network drives. When we included Content Manager in the scanning operation, things really escalated, and before we knew it, we were looking at over 32,000 credit card numbers.”

Shocked by this discovery, and because Voltage Fusion is designed to discover more than just credit card data, the team felt it prudent to highlight what other personal data might be lingering in the systems. The aim was to report any further risk items that could negatively influence a bigger compliance picture. In addition to the credit card data, the scan revealed over 90,000 captured passport numbers, nearly 7,000 driving license numbers, and close to 12,000 healthcare ID numbers. To put this in context, after the highly publicized security breaches in Australia, BDO commissioned research into the value of data on the dark web*. This revealed that credit card details can be obtained for AUD$38, while a driving license goes for AUD$526, and a passport is worth AUD$2,255. For this client that means that if the exposed data makes it into the wrong hands, it will be worth well over AUD$200 million.

Voltage Fusion is underpinned by AI-driven IDOL which is well-known globally for its proven track record in data discovery. The client was confident that Voltage Fusion, coupled with our implementation expertise, could support the data discovery process.

Tried and trusted solution with 89% data discovery accuracy rate

WyldLynx prepared a cyber security risk assessment report for the client, which was instrumental in this project moving from just a finance-focused exercise to support PCI compliance, to a much wider ongoing data discovery initiative. Now that the data issue is clearly visible to the client’s stakeholders, decisions need to be made on how to manage this. Clearly the volumes are beyond manual management, and the client is looking at different options, including other OpenText (formerly Micro Focus) Cybersecurity solutions, to remediate, remove, dispose, protect, or encrypt the sensitive data in its systems. Voltage Fusion will play an ongoing part in the future management of sensitive data within the department. Duncan works with many other clients on similar projects and explains the rather unique position Voltage Fusion has in the marketplace: “Many clients use Content Manager as a main data repository, and Voltage Fusion is the only solution that can effectively scan and discover Content Manager data. We’ve spoken with clients who have tried other tools, in particular to discover credit card details. They found ~90 percent of alerts to be false positives, which is a huge time waster. Voltage Fusion, in contrast, has a discovery accuracy rate of ~89 percent and has therefore established itself as a tried and trusted solution to support our clients in their data discovery journey.”