Companies Need to Be More Honest About Breach Information

Sue Marquette Poremba
Slide Show

Five Warning Signs Your Security Policy Is Lacking

Warning signs of a weak security policy from SunGuard Availability Services.

Even though the news about the PCI breach broke on Friday, it almost seems like old news. In a way, it was old news when it was released because the breach of Atlanta-based processor Global Payments didn't just happen. According to Krebs on Security:

In separate non-public alerts sent late last week, VISA and MasterCard began warning banks about specific cards that may have been compromised. The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012. The alerts also said that full Track 1 and Track 2 data was taken-meaning that the information could be used to counterfeit new cards.

This morning's news reported that 1.5 million credit and debit card numbers may have been compromised and that Global Payments discovered the breach in early March.


There are millions of credit and debit card users who are now wondering if their financial records were breached, but the truth is, that information may have been abused for more than a month before the users ever found out. As Marcus Carey, security researcher at Rapid7, told me in an email:

Considering we are hearing that the initial breach of the credit card processor may have been compromised as early as Jan 21, 2012, this means that cards details may have been available for exploitation for over two months. Also there is speculation that the breach may have occurred between Jan 21, 2012 and Feb 25, 2012, which suggests the attackers may have had continuous access to data for over a month.

There are two issues to look at here. First is the length of time between the actual breach and the discovery of the breach. Second is the length of time between the discovery of the breach and the announcement of the breach to consumers. As far as I know, we don't know exactly how long it took Global Payments to discover the breach after it happened. But if it was really a month between the breach and discovery as some have insinuated, here is a prime example of why having a top-notch security team is more important than ever. As Neil Roiter, research director at Corero Network Security, pointed out:

It is still unclear how the credit card breach was carried out as Global Payments remained tight-lipped regarding its details, stating only that the attack was contained' while at the same time confirming that some 1.5 million records had been compromised. Despite this, it is clear that cyber attacks are continuing and succeeding.
Cyber criminals are evolving their attack techniques. Companies need to do the same. In addition, companies need to understand that no combination of security measures guarantee a breach won't occur. It is critical, therefore, that if an attack is not stopped in its tracks, the company has the tools in place to quickly detect and mitigate it.

The second point, the length of time between discovery of the breach and its announcement is an on-going discussion. The Securities and Exchange Commission has instituted guidelines on how to report a breach, and individual states have laws that require reporting a breach in a certain amount of days after the breach is discovered; however, there is a lot of disagreement about time frames because, as one security person told me last year, there is a lot of information to verify before you can report. Or maybe it doesn't really matter when the breach is reported because as Carey said, the damage is already done:

In reality, it only takes an attacker a couple of minutes or hours to breach massive amounts of stored credit card files or databases. If an attacker can't access stored data, they may monitor and capture the transactions as they are processed on a system or traverse a network.

By the time consumers are notified, the damage is already done. Perhaps that is the most important thing to convey: Their information has been at risk for some time and companies need to do a better job revealing when the breach happened, rather than be vague about it. Again from Carey:

At this point until we have more information, we don't know exactly what happened. The news of this breach speaks of the challenging nature of 1) How difficult it is protecting your data 2) Recognizing an intrusion and responding to them in a timely manner. I'd be concerned though if I had used parking garages in and around New York City in the first quarter of 2012.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.