Another Total Security Failure!?- 750K Socials Stolen in Utah April 10, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy.Tags: Chris Mark, cybersecurity, InfoSec, mark consulting group, markconsultinggroup.com, security, Social Security theft, Utah Health Department
add a comment
(RANT ALERT) While everyone is fighting over who gets to eviscerate Global Payments in the press today, a major breach of sensitive data goes unnoticed. For the record…Credit Card theft is NOT identity theft. Steal my credit card every day of the week…I have zero liability. Do NOT steal my social or passport or drivers license. We seem to be focused on the wrong data at times. I live in Utah and am pretty sure my wife, and my own 2 year old son’s Social was included in this breach.
Today on Foxnews.com a story was posted about how hackers stole “hundreds of thousands of social security numbers” from the Utah Health Department. Well…this is not entirely accurate. The data thieves did steal the Socials but they also stole medical information and other personal information such as names, addresses etc. The total number of records is nearing 900,000. Here is my beef…according to the story: (more…)
“Oh the humanity!”- Financial Institution Breached 3 Times in 2 Weeks! April 4, 2012
Posted by Chris Mark in Data Breach, Industry News, Uncategorized.Tags: bank robberies, Chris Mark, data breach, Global Payments, InfoSec, mark consulting group, PCI DSS, risk management
add a comment
STOP THE PRESSES! According to the Patriot Ledger, a financial institution’s security was breached 3 times in 2 weeks and assets were stolen. The media, however, has been quiet on the story. I have not heard a single Gartner or other analyst publicly eviscerate the financial institution for their poor security practices nor has Information Week, CNN, or any other major media outlet opined on the breaches. Why?
The financial institution was a actually a bank branch and the breaches were not data thefts rather they were good old fashioned bank robberies. In 1968, in response to increasingly violent and frequent bank robberies, the US Government passed the Code of Federal Regulations Title 12 part 208.61- Bank Security Procedures. The purpose of the Act is as follows: (more…)
“Blaming the Victim and the PCI DSS is…Passe”- PCI DSS; GlobalPayments & Data Theft April 1, 2012
Posted by Chris Mark in Data Breach, Industry News, InfoSec & Privacy, PCI DSS, Risk & Risk Management.Tags: Chris Mark, cybersecurity, data breach, Global Payments, InfoSec, mastercard, PCI, PCI DSS, visa
add a comment
In an effort beat the “PCI Evangelists”; “wagon jumpers”, “naysayers”, and “PCI Haters” to the punch, I am publishing my post on a Sunday evening. By tomorrow morning the speculation on how the GlobalPayments compromise occurred will be in full swing and no doubt, many will have already condemned the company for “PCI DSS non compliance” or being “sick, lame, or lazy” when it comes to their PCI DSS compliance or information security. Others will have published articles condemning the PCI DSS as ‘ineffective’, ‘irrelevant’, or simply ‘stupid’.
Before they are condemned I want to go on record and say it NOT a PCI DSS compliance issue that caused the compromise. Like Heartland Payment Systems, Royal Bank of Scotland Worldpay and many more before them, GlobalPayments has been held out as the paragon of PCI DSS compliance for years. Now that they have been breached they will be expected to wear a scarlet letter for the foreseeable future. I have no doubt that by the end of next week their status as a “Level 1 PCI DSS Compliant Service Provider” will have either been revoked by the card brands or be under “review”.In the same vein, there will be many who shout from the rooftops that the PCI DSS is “irrelevant”, “outdated” and so on. Neither of these positions are accurate.
Here it goes…(drum roll please)…
The PCI DSS is a solid set of information security controls and represents minimum necessary controls to minimize the likelihood of data compromise through common, identified vulnerabilities. (more…)
Wall Street Journal Reporting- Global Payments is Breached March 30, 2012
Posted by Chris Mark in Industry News, InfoSec & Privacy.Tags: credit card theft, cybersecurity, data breach, data compromise, Global Payments, InfoSec, mark consulting group, mastercard, PCI DSS, visa
1 comment so far
Updating my last story, the Wall Street Journal is now reporting that the “massive” data breach referenced earlier was Global Payments, Inc. USA Today is also reporting on the issue. According to sources, Dominican street gangs may be involved. Gartner’s Avivah Litan stated: “are seeing signs of this breach mushrooming. From what I hear, the breach involves a taxi and parking garage company in the New York City area, so if you’ve paid a NYC cab in the last few months with your credit or debit card – be sure to check your card statements for possible fraud.”
Visa Issued a statement: “Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet. Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards. … Every business that handles payment card information is expected to protect the security and privacy of their customers’ financial information by adhering to the highest data protection standards. “
MasterCard is: “concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information. If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution.”
Global Security, Privacy, & Risk Management 