The Fraud Blog with Tracy Kitten

Questions About Global Payments' Answers

Breached Processor's Response Only Raises New Issues

Global Payments' public response to the data breach that exposed card data on 1.5 million debit and credit accounts has raised more questions than offered answers.

See Also: Zero Trust Webinar: Research Insights Exploring the Actionable, Holistic & Integrative Approach to Security

Why did Global wait three weeks to notify the public? And had the story not been broken by blogger Brian Krebs, would we have seen a public acknowledgment of the compromise?

Should more be done to communicate information about the breach? 

On the notification front, Global only went as far as it was required. The processor notified Visa and MasterCard when its internal systems detected anomalous activity that hinted at a breach. And the company notified law enforcement. But initially it issued no public statement.

So, would we know about the breach today if Krebs hadn't broken the story?

So far, Global has not engaged in dialogue about the breach, presumably because the investigation is ongoing. We're being told what Global wants to share.

During the April 2 investors' call turned press conference, the company's executives entertained no questions from journalists, only financial analysts. And even though Global this week launched a special section on its website dedicated to consumer and merchant information about the breach, most of the information is stagnant - nothing's been updated since April 2 - and nowhere on the site is there even a form for users to submit questions.

So, it brings me back to notification. Should more be done to communicate information about the breach?

From RSA to Epsilon and Sony, data breaches are becoming far too common. But because we lack standardization for incident response and notification, the rules are murky and the best practices unclear.

And here's another problem with no standardization: Because of the way Global explained its breach, we still don't have a clear picture of exactly what happened.

"There's not a lot of transparency here," says Gartner analyst Avivah Litan. "It's not very clear what is going on. The language that was used by Global Payments is very different than language we've seen before. They talked about 1.5 million records exported; usually what you hear is how many were potentially compromised."

I suspect we'll learn more in coming weeks - at least I hope we do. What I'd really like to see is more information, not just about how processors like Global are expected to respond to a breach, but what actions are being taken now to keep everyone abreast of new developments. Who will lead this charge?

The evidence so far is discouraging.

About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years' experience, she covered the financial sector for 10+ years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.