jump to navigation

“Are You Eating a Rotten Apple?” – Personal Data May have Been Exposed in Global Payments Breach July 9, 2012

Posted by Chris Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy, PCI DSS, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

Let me preface this post by saying this is not intended to take shots at either Global Payments or the PCI DSS.  Rather, this post is intended to generate discussion and discourse on the topic of compliance and risk management.

According to reports, it seems that the Global Payments data breach may have exposed more than payment card data.  n a June 12 update posted to its breach microsite, Global says hackers may have gained access to servers containing personal information collected from a subset of merchant customers.

“The company will notify potentially affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost,” Global says. “The notifications are unrelated to cardholder data and pertain to individuals associated with a subset of the company’s U.S. merchant applicants.”

Based upon this statement it seems fair to assume that Personally Identifiable Information (PII) such as Social Security number and Bank Account information may have been exposed, as well.

This situation exposes the danger of using a narrowly focused, static standard as a baseline of security management rather than adopting a risk based approach to data security.   I have personally conducted over 100 PCI DSS audits and have seen first hand the resources consumed by the standard.  Companies often appear so laser focused upon protecting payment card data that other systems and data may take a back seat in the pursuit of “PCI DSS compliance.”  As there are significant penalties associated with non-compliance that it is difficult to blame the merchant or service provider. The penalties are designed to compel compliance with the standard.  As such, companies are going to give precedent to the PCI DSS over any other standard that does not have equivalent penalties associated with non compliance.

As a reminder, the PCI DSS is ONLY focused protection of Cardholder Data.  Surely some are going to say that the PCI should be applied across all systems etc.etc.  This is great in theory but does not happen in practice.  Companies take great pains to minimize their cardholder data environment specifically to lessen the compliance burden.

I am sure we will continue to see breaches of payment card companies having PII exposed as companies focus on PCI to the exclusion of risk based security management.

“Let’s Talk Data Security” – Heather Mark in July 2012 Greensheet & TransactionWorld July 9, 2012

Posted by Chris Mark in cybersecurity, Data Breach, Laws and Leglslation, News, PCI DSS.
Tags: , , , , , , ,
add a comment

Heather Mark is interviewed in the July 2012 issue of Greensheet in the article titled: “Expert Advice on Security Defense and Planning”.    The article discusses strategies for preventing and dealing with data breaches with the payment card industry.    Additionally, Heather has an article in TransactionWorld titled: “New School vs. Old School: Security and Emerging Technologies”.  You can catch Heather’s articles every month in Transaction World Magazine.

“Pinky and the Brain” – Chris & Heather Mark’s Articles in Transaction World Magazine June 21, 2012

Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

I heard yesterday from the EIC of Transaction World Magazine that they will be publishing one of my articles in their August 2012 issue.  Stay tuned!  I have written for TW numerous times over the past 7 years or so and Heather has written for them consistently since about 2005.  You can read her current article here and see archives of Heather’s articles at this link.  If you are not in the payments industry and want to know about the exciting world of credit card issues, check out TransactionWorld.  It has great articles covering everything from compliance, to security, interchange, and more.  Here are two links to a couple of my previous TW articles..1) Why Regulation Cannot Prevent CyberCrime and 2) Lessons from the Heartland Breach…clearly in this relationship Heather is the Brain and I am Pinky 😉

“The Rise of CyberEspionage” – Chris Mark Published in Homeland Security Network June 18, 2012

Posted by Chris Mark in cyberespionage, cybersecurity.
Tags: , , , , , , , , , , ,
add a comment

An article I wrote on the Rise of Cyber Espionage was picked up by the Homeland Security Network.  I must admit that the article title is not what was submitted but the article is one I wrote.  If you are interested, spin on over to the Homeland Security Network and read the article.  Any feedback would be appreciated..here is an excerpt:

“On April 15, 2011, the US Congressional Subcommittee on Oversight and Investigations conducted a hearing on Chinese cyber-espionage. The hearing revealed the US government’s awareness of Chinese cyberattacks. In describing the situation in her opening remarks, sub-committee chairperson Dana Rohrbacher astutely stated:

“[The]United States is under attack.”12 “The Communist Chinese Government has defined us as the enemy. It is buying, building and stealing whatever it takes to contain and destroy us. Again, the Chinese Government has defined us as the enemy.”

“See, Hear & Speak no Evil”- Google Censorship Requests June 18, 2012

Posted by Chris Mark in Industry News, privacy.
Tags: , , , , , , , ,
1 comment so far

Google today released information related to the censorship requests by Governments around the Globe.  While many are familiar with China and other nations restricting access, it is interesting to see so many “Western” countries requesting censorship.  An interesting example is the Canadian Government requesting the removal of “…YouTube video of a Canadian citizen urinating on his passport and flushing it down the toilet. “  To their credit, Google did NOT comply with this request.  In another request, Google “…received a request from the Central Police in Italy to remove a YouTube video that satirized Prime Minister Silvio Berlusconi’s lifestyle.”  Again, Google did not comply.  The interesting part of these requests is that they request removal of material that is typically considered a right of free speech and protest.  Satire has been used as a form of protest in West for centuries (look at Voltare, Oscar Wilde…etc.etc.) and civil disobedience (urinating on a passport, is a good example) has certainly been used as form of protest.  One has to wonder whether how much more information ‘free’ governments have kept from the public.  You can see the Google removal requests here.