How to Make a Data Breach Disappear

For companies that are in the business of collecting, storing or monetizing user data or processing large numbers of transactions, it’s a matter of when, not if, they will suffer a major compromise or data loss. Most recently the giant wheel of pain stopped on Global Payments, but a weird thing happened on the way to Internet infamy: the story kind of died. 

For companies that are in the business of collecting, storing or monetizing user data or processing large numbers of transactions, it’s a matter of when, not if, they will suffer a major compromise or data loss. Most recently the giant wheel of pain stopped on Global Payments, but a weird thing happened on the way to Internet infamy: the story kind of died. 

When word of a data breach at a major payment processor began to circulate at the end of last week, speculation was that the incident might turn into something on the level of the attack on Heartland Payment Systems, TJX’s compromise or the ChoicePoint conflagration. Observers worried that if the payment infrastructure at one of the major processors had been compromised and the attack had extended to some of the company’s merchants, then the repercussions for customers and consumers would be far-reaching and tremendously painful. It could mean major investigations at the merchants, weeks or months of uncertainty as the institutions try to figure out what was compromised, what data disappeared and where it went.

In many of these incidents in the past, the companies involved have hemmed and hawed, released little or no information, blamed everyone but themselves and then said that although they had world class security in place at the time of the attack, they would make it even better with some magic infosec beans. 

But that’s not what happened in this case. Instead, Global Payments on Friday came out and said that it was the victim of the much-rumored breach, explained that it had detected and self-reported the incident and that it would be providing as much information as possible as the investigation continued. Company officials owned up to the intrusion, explained clearly what the scope of it was, what data was affected, and, most importantly, answered every questions that came their way. There was no equivocation, no dissembling and no finger-pointing. 

“Approximately three weeks ago, we identified that cardholder data may have been taken. We jumped on this instantly,” Paul R. Garcia, CEO of Global Payments, said in a call with investors on Monday. “We found this and we reported this within hours. There are parts of this we still need to resolve and button up, but it’s absolutely contained to the best of our knowledge.”

In the spectrum of responses to data breaches, that’s about as clear a statement as you’re going to get. Garcia seems to have gotten some good advice for dealing with a compromise. He didn’t make any grand pronouncements about the company’s security practices or say that the incident was a failure of some unnamed partner or third party. Nor did he promise that something like this would never happen again. He kept it simple and went the route that many security and privacy experts have advocated for years but is rarely trod: direct and open.

“This is the first incident and we hope it’s the last. This is an ongoing process and we’re getting better and stronger every day,” Garcia said.

What Garcia did was leave critics and observers little or no room in which to fit their knives. And that’s a bewildering thing for veteran watchers of the data breach landscape. The predictable, expected response is deny, deflect and delay, so when something other than that occurs, it can be disorienting. Here’s hoping for more disorientation and bewilderment and less predictability.

Suggested articles

Discussion

  • Adam on

    "Company officials [...] answered every questions that came their way."

    Just read Brian Krebs' blog and his questions he never even had a chance to ask on the call and never got answers. Global Payments just refused to discuss any further details of the breach. Your statement seems far from truth.

  • mike mastela on

    The number of accounts breached in the initial report was less than 50k, now it's well over 1.5M, hardly what I would call honest or forthcoming.  This is a distressing trend, RSA sat on their breach for a while beore going public too and that dilutes the publics right to kow in a timely manner.

  • Anonymous on

    I can only assume a large payment provider such as Global Payments would have been compliant with the PCI Data Security Standards (DSS).  That being the case, this begs the bigger question "how reliable is the DSS for actually securing and protecting cardholder data?". 

  • Anonymous on

    PCI DSS is the low watermark, not the high watermark.  So, you meet the audit requirements, and then improve from there. 

  • Anonymous on

    PCI DSS is the low watermark, not the high watermark.  So, you meet the audit requirements, and then improve from there. 

  • MadMark on

    PCI is a non-prescriptive standard that implies that the subject organization is doing what it needs to do to handle credit card data appropriately.  It does not certify that there are solid, repeatable processes in place, or that the organization has all of the controls in place to ensure that it is reasonably secure, never mind "breach-proof".

    The fact that the number of affected customers has grown from 50k to 1.5m should be no surprise to anyone that has ever done an investigation.  As you pick at the wound, you find out that the infection is worse than you initially suspected, based on early intell.

    IMHO GP has done a good job of managing spin.  They are not attempting to hide or deflect.  Yet.  Let's see how it develops from here.

    Just my 2¢, collect the whole dime.

    Mark

  • Independant on

    And PayPal is also a payment processor, so why do they have  an unblemished global history? The data security world is an abysmal failure! The lack of security performance speaks volumes as it pertains to their security commitments. This is a numbers game! Records processed equals $. Tough security is an expense, Minimum standards are cheaper, reduces costs, and yields a higher margin. Honey is sweet especially if your not on the hook for loosing it for the honey makers!

    The security of a customers data starts with the customer, the card user... So what is it today? ZERO! A customers zip code? Why not a secret hand shake... a 3 digit security code? present your card to a merchant and watch the cashier turn the card over and read everything needed to steal the card. Anyway, it's a low percentage of theft in this manner, an acceptable loss to the payment processor. they get their money for processing a valid transaction as well as a fraudulent one.

    Breaches of this magnitude don't happen by way of the groupy hacker. Look no further than organized cartels and their titular governments world wide.

    If your lock can't keep the lock pickers out, use a higher quality lock and rotate the access key every thirty seconds. One access per key, then a new key. If you can't control the key ring, your hopelessly inept and need to retire to some island in the South Central Pacific with A. Earhart.

    $anction the the processors for these breaches, make it BITE HARD. See how fast security tightens up.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.