Questions About Global Payments' Answers
Breached Processor's Response Only Raises New IssuesGlobal Payments' public response to the data breach that exposed card data on 1.5 million debit and credit accounts has raised more questions than offered answers.
Why did Global wait three weeks to notify the public? And had the story not been broken by blogger Brian Krebs, would we have seen a public acknowledgment of the compromise?
On the notification front, Global only went as far as it was required. The processor notified Visa and MasterCard when its internal systems detected anomalous activity that hinted at a breach. And the company notified law enforcement. But initially it issued no public statement.
So, would we know about the breach today if Krebs hadn't broken the story?
So far, Global has not engaged in dialogue about the breach, presumably because the investigation is ongoing. We're being told what Global wants to share.
During the April 2 investors' call turned press conference, the company's executives entertained no questions from journalists, only financial analysts. And even though Global this week launched a special section on its website dedicated to consumer and merchant information about the breach, most of the information is stagnant - nothing's been updated since April 2 - and nowhere on the site is there even a form for users to submit questions.
So, it brings me back to notification. Should more be done to communicate information about the breach?
From RSA to Epsilon and Sony, data breaches are becoming far too common. But because we lack standardization for incident response and notification, the rules are murky and the best practices unclear.
And here's another problem with no standardization: Because of the way Global explained its breach, we still don't have a clear picture of exactly what happened.
"There's not a lot of transparency here," says Gartner analyst Avivah Litan. "It's not very clear what is going on. The language that was used by Global Payments is very different than language we've seen before. They talked about 1.5 million records exported; usually what you hear is how many were potentially compromised."
I suspect we'll learn more in coming weeks - at least I hope we do. What I'd really like to see is more information, not just about how processors like Global are expected to respond to a breach, but what actions are being taken now to keep everyone abreast of new developments. Who will lead this charge?
The evidence so far is discouraging.