part A and part B
1
TruTrust Loyalty Programmes
Dr Ian Storey, Dr Shaahin Madani, 2020
TruTrust, headquartered in Melbourne Australia, currently manages a shared customer
loyalty programme for 5 small-to-medium sized retailers. They prepare loyalty cards used by
customers. Note: the customers of TruTrust are the retailers who have customers who use
the cards.
They are hiring your team of consultants to perform an information security risk analysis and prepare a risk mitigation. They might later hire you to perform a mitigation program depending on how convincing your advices are and how well you present your work.
The CEO of TruTrust, Henry Faithful, has invited your consulting team to investigate the cyber security at TruTrust and produce a risk analysis and report. Henry is worried about his security and particularly that his server may have been hacked.
TruTrust maintains a database of customers, loyalty points and retailers. Customers of retailers register for TruTrust with a username and password, and they are given an ID. The ID is printed on a card and is contained in an NFC chip on a card issued to the customer by post. When registering, customers must supply a name and address (for postage of the card), but a phone number is optional. The NFC card can be read by readers supplied to retailers, or the customer can type the ID when purchasing online to gain loyalty points. Retailers’ details are also stored in the database.
TruTrust’s server is eight years old and is running in a small room. It is using the Window’s 7 OS. All data is stored on this server and retailers can access APIs that run on the server. It has sometimes been down for extended periods of time after experiencing problems. The APIs of the system provide service to retailers and customers, and an ID is required before any interaction with an API.
2
Given the unique nature of the business, Henry has hired the best designers and developers he could afford to build the system from scratch. For the original phase, he hired three developers: Jerry Hackintosh as a coder, Vincent Van Diesel as a web developer, and Wendy Flare as a designer. The team was disbanded eighteen months after the start of development. Jerry was retained for ongoing and maintenance work.
Backups consist of Henry’s making a single copy of the DB files only on a USB stick that he carries around with him. He usually does this each weekend, but often leaves the system running for a month without backup.
Jerry is a little worried about a lack of UPS and the use of a free antivirus Henry found on the Internet, but Henry feels a UPS is an unnecessary expense, especially since they are trying to “grow the business”, and the antivirus has “rave reviews” but it seems to have little or no patching capability. Jerry is also worried about the fact that customer passwords are stored in the clear. There is no system-wide intrusion detection and no network segmentation.
Henry has another employee, Wendy Jorgenson, who works as a receptionist and who keeps control of accounts. Wendy is reliant on the TruTrust software for cashflow related to the core business, but all other transactions, including tax reporting, is done using an old accounting software on her personal laptop.
The company has indicated in preliminary discussions with your consultation team that they would consider spending on the order of 100 to 300 thousand dollars on the risk analysis and mitigation strategy (implementing the controls that you recommend).
In your analysis, you will investigate the company more deeply to “discover” more about TruTrust’s information security.
Note: changes were made to the Privacy Act which may affect TruTrust if they are audited. See,
https://ballawyers.com.au/2018/01/28/privacy-act-changing/
https://www.legislation.gov.au/Details/C2019C00025
TruTrust wants you to cover the threat from loss of customer transaction data.