Cyberspace in the 21st Century demands that organisations know where their information is, how secure it is and what measures are necessary, or sufficient, for effective data protection? The Senetas Leadership team comes together to share news and views related to information security and data protection in the face of new and emerging cyber threats. They comment on the latest trends and business strategies that minimise the risk to personal and corporate information.
Your comments are welcome.
By John DuBois
My attention was drawn recently to a statement by the US company that suffered a massive data breach in 2008, affecting 100 million customer records. Heartland Payment Systems in the US has offered to pay $US 60 million to issuers of affected Visa-branded credit cards.
The total cost of this breach continues to escalate. Heartland processes credit and debit card payments for more than 250,000 American businesses. Both Visa and MasterCard were apparently affected by the breach, so perhaps another multi-million dollar settlement is still to be negotiated, while a class action lawsuit is also underway.
Certainly this will mount up to cost many dollars per lost record, but what price do you put on the loss of reputation incurred by this organisation? It is ironic that one credit card company uses the word “priceless” in advertising.
Heartland CEO, Robert Carr was quick to point the finger at the payment card industry, explaining the breach was caused by someone placing a listener program in the stream where data in motion was not encrypted (my emphasis).
Just how much data is at risk? Well, data networks running at 10 Gigabits per second can handle 208,000 records a second, 1 million every 5 seconds, or 12 million records a minute (at 6Kb average record size).
In a story reported in PC World on May 8, 2009, Heartland was said to be developing a true end-to-end (E2E) encryption system for its merchants. And the reason why: “Currently, processors must unencrypt customer credit card data on the last step due to legacy systems in place (at) the card companies…”
Last year at a gathering of card issuers, Carr reportedly handed out USB drives containing the malware code found on the Heartland system at the time of the breach, so that other payment processors could look for malware on their own systems.
It is a bit late after the horse has bolted to shut the stable door. So isn’t it time consumers (both business and home consumers of credit and debit card services) got proactive? We need to press regulators to mandate that the industry must encrypt all records in transmission from the point of sale through the production network and also when they go to be archived in the data storage network?
John
Comments
Post has no comments.