For companies that are in the business of collecting, storing or monetizing user data or processing large numbers of transactions, it’s a matter of when, not if, they will suffer a major compromise or data loss. Most recently the giant wheel of pain stopped on Global Payments, but a weird thing happened on the way to Internet infamy: the story kind of died.
When word of a data breach at a major payment processor began to circulate at the end of last week, speculation was that the incident might turn into something on the level of the attack on Heartland Payment Systems, TJX’s compromise or the ChoicePoint conflagration. Observers worried that if the payment infrastructure at one of the major processors had been compromised and the attack had extended to some of the company’s merchants, then the repercussions for customers and consumers would be far-reaching and tremendously painful. It could mean major investigations at the merchants, weeks or months of uncertainty as the institutions try to figure out what was compromised, what data disappeared and where it went.
In many of these incidents in the past, the companies involved have hemmed and hawed, released little or no information, blamed everyone but themselves and then said that although they had world class security in place at the time of the attack, they would make it even better with some magic infosec beans.
But that’s not what happened in this case. Instead, Global Payments on Friday came out and said that it was the victim of the much-rumored breach, explained that it had detected and self-reported the incident and that it would be providing as much information as possible as the investigation continued. Company officials owned up to the intrusion, explained clearly what the scope of it was, what data was affected, and, most importantly, answered every questions that came their way. There was no equivocation, no dissembling and no finger-pointing.
“Approximately three weeks ago, we identified that cardholder data may have been taken. We jumped on this instantly,” Paul R. Garcia, CEO of Global Payments, said in a call with investors on Monday. “We found this and we reported this within hours. There are parts of this we still need to resolve and button up, but it’s absolutely contained to the best of our knowledge.”
In the spectrum of responses to data breaches, that’s about as clear a statement as you’re going to get. Garcia seems to have gotten some good advice for dealing with a compromise. He didn’t make any grand pronouncements about the company’s security practices or say that the incident was a failure of some unnamed partner or third party. Nor did he promise that something like this would never happen again. He kept it simple and went the route that many security and privacy experts have advocated for years but is rarely trod: direct and open.
“This is the first incident and we hope it’s the last. This is an ongoing process and we’re getting better and stronger every day,” Garcia said.
What Garcia did was leave critics and observers little or no room in which to fit their knives. And that’s a bewildering thing for veteran watchers of the data breach landscape. The predictable, expected response is deny, deflect and delay, so when something other than that occurs, it can be disorienting. Here’s hoping for more disorientation and bewilderment and less predictability.