Amid breach fallout, Global Payments struggles with public message

Global Payments Inc. of Atlanta, the credit card processing firm that was breached sometime earlier this year, couldn't keep hackers out of its system, but the firm's leaders seem determined to keep the press outside their public relations wall.

Since the breach became public March 30, the company has issued a general statement and set up a web page for customers and merchants.

Garcia instead spent most of the conference call in self-congratulatory mode, saying that the company's own security measures detected the breach, that it notified law enforcement and card associations "within hours," and that so far there had been no fraudulent activity on any of the compromised cards.

This, says Bruce Schneier, chief security technology officer at BT, should be no surprise. "They are going to do what they think is best for the company," he says, acknowledging that trying to block media coverage might not be the best strategy.

He said the Tylenol case from 30 years ago, in which manufacturer Johnson & Johnson was unusually transparent with the press and public after somebody laced capsules with cyanide, "is a great example because it is so rare --(a case of) full disclosure and getting ahead of the story and irrational panic. But in the heat of the moment, that is not always what people do."

Independent security consultant James Arlen says his best guess is that GP wants to have, "a well-defined story to tell prior to letting anyone in. Essentially, it's cleaning up the crime scene to insure that only their version of what happened will come to light."

Security blogger Brian Krebs, who broke the story of the breach last Friday, reported that as many as 10 million cards may have been compromised, that sources had told him there had been fraudulent activity on at least 800 cards and that both Track 1 and Track 2 data had been taken.

But Garcia said during the conference call that the breach had occurred early in March, that 1.5 million cards had been compromised, and that only Track 2 data, which includes the card account number and expiration date, along with other data, had been stolen. He said the attackers did not get cardholder names, addresses and Social Security numbers. He characterized much of the reported information about the breach as, "rumor and innuendo, most of it incredibly inaccurate."

The information security community views that skeptically. Krebs wondered on his blog if Garcia was talking about two separate breaches.

Chester Wisniewski, senior security adviser at Sophos, says that at a minimum, Garcia "sounded evasive in his statements. If this is one incident, there is a bit of a smell about it." There will still be fallout for GP. Although it was certified compliant with PCI DSS prior to the breach, Visa announced over the weekend that it had removed the company from its registry of PCI DSS-validated service providers, pending its own forensic investigation.

Garcia acknowledged that the company would likely face fines from card companies and have to cover the costs of issuing replacement cards.

But Schneier says the good news for GP is that long-term damage is unlikely. "The data we have is that the effects are short-lived, both in how they affect customers and stock prices." Indeed, being PCI compliant is little more than a public-relations gold star -- a "low bar that is not enough to protect you," according to Wisniewski.

Arlen says in the real world, "it's very easy to be compliant without being secure and secure without being compliant. Equating security and compliance is like equating 'ability to drive' with 'correctly uses hair products.' Both are necessary for a great car commercial but there is no transferrable skill between them."

All three say it is possible that auditing of the firm's compliance was not rigorous enough. "There is no way to know for sure," Wisniewski says, "but the difference in auditors can be vast. They shouldn't just be checking boxes they should require proof that things are effective and doing job properly."

Arlen suggests following the money. "The client pays the auditor to produce a report. As long as the auditor is beholden to the client, the auditor is at risk of doing what is necessary to ensure the flow of funds," he says.

"What will be truly telling is the level of transparency from the card brands, the issuing banks and the affected processor itself," he adds. "If this is a transparent process that includes significant details about what mistakes were made and by whom, I will have my faith in humanity restored."

None of these experts see revisions of PCI as a magic bullet that will prevent similar future breaches.

"The only meaningful change is to change PCI from a regulatory notion to legislative control, which has significant criminal liability for the people behind the retailers, the card brands, issuing and acquiring banks and intermediaries such as processors," Arlen says.

Schneier contends that the calls for tighter PCI standards are practically irrelevant, because data breaches are so frequent and the details of each attack are "surprisingly unique," and by the time that vulnerability is addressed, the attackers are on to other methods.

There are, "probably a half-billion things (GP) could do," to improve its security, he says, "but I don't know what the top two or three would be. There is no fast answer."

Read more about pci and compliance in CSOonline's PCI and Compliance section.

Join the CSO newsletter!

Error: Please check your email address.

More about BT AustralasiaInc.SophosVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts