Data Security Law Journal Focusing on legal trends in data security, cloud computing, data privacy, and anything E

Hacking the “Middle Man”

Posted in Data Breach, Data Breach, Data Security

Another massive high profile data breach was in the news this past week. MasterCard, Visa, American Express, and Discover, as well as other banks and franchises were affected.  Significantly, the breadth of the effect was not a result of separate attacks against each bank, but rather a hacking of one common third-party service provider—Global Payments Inc—which processes credit card payments and acts as a “middle man” between the consumer and the bank. The extent of the data breach is not yet fully known, but MasterCard, Visa, and American Express all suffered decreases in the value of their stocks when news of the data breach broke.  Global Payments released a statement that the intrusion was limited to North America and affected up to 1.5 million cards.

If you are a business that maintains sensitive client and proprietary information, there are several important lessons to be learned from this data breach:

  • When you hire a third-party service provider or vendor, you need to know what measures that vendor is taking to protect your data and the data of your customers.  What policies and procedures has the vendor implemented to maintain the security of data you share with it?  What contractual or other legal remedies do you have against the vendor should something happen to the data?  Is the vendor insured for such a loss?
  • Your company’s defenses to a data breach are only as strong as its weakest link. For example, it may not matter very much that your company has adopted the most state-of-the-art, expensive, top-flight security measures if a service provider is not taking equally strong measures to protect the same data.  As Tom Kellerman, a vice-president at Trend Micro, a computer security company, told the New York Times:  “Hackers are well aware that these [payment processing] systems don’t have the same sophisticated levels of security as the banks.  The payment processors have become their Achilles’ heel.”  According to that same article, this was the second known breach that Global Payments has suffered within the last 12 months.
  • It is interesting how the news of this data breach broke — it appears to be the result of a blog post on Krebs on Security, rather than as a result of the work of a major national newspaper or other traditional news entity.  The work of bloggers in this sphere is increasingly impressive. Krebs is just one example.  Databreaches.net is another blog that maintains an impressive record of significant data breaches and further demonstrates the continued explosion of data breaches worldwide.  I would also recommend author Christopher Danzig, who writes frequently for Above the Law and other national and regional publications.
  • It is wrong to simply assume that because the breach occurred, it could have been prevented, or that Global Payments was not doing all it could to prevent the breach from occurring in the first place.  Again, a quote from the NYT article is instructive because it shows the complicated relationship between the banks, the payment processors, the merchants, and the customers:  “‘These folks work night and day to secure their systems, but they are connected to millions of merchants around the country and nothing is absolutely foolproof,’ said Thomas Goldsmith, a spokesman for the Electronic Transactions Association, a trade group.”
  • According to Krebs on Security, the Global Payments breaches occurred as early as January 2011 and then again between January 21, 2012, and February 25, 2012, and at least the first breach appears to have been a “sustained breach” (hackers captured data about 24 million unique transactions on an ongoing basis for the last year), yet news of the breach was not made public until now.  Indeed, were it not for the blog post, one might wonder how long it would have taken for this information to otherwise become public. It may be that Global Payments could not confirm that it had in fact suffered a breach and did not know the source or extent of the intrusion until very recently.  In any event, interesting issues relating to whether, when, and how Global Payments should have disclosed the information are all implicated.
  • Another issue is who will bear the financial burden for the breach? The banks? Global Payments?  The hosting provider for Global Payments?  The merchants? The consumers?  Perhaps a combination of some or all.  The financial burden does not simply mean potential legal liability, but also includes the far greater costs of public relations consequences, damage to reputation and brand, and the cost of remediation and implementing new security measures.  The issue of the financial and public relations fallout will be interesting to follow.

In short, the Global Payments data breach is another example of a high profile data breach that corporations worldwide would do well to learn from.  Arguably the most important lesson? KNOW WHAT YOUR VENDORS ARE DOING TO KEEP YOUR DATA SAFE!

5/6/12 UPDATE:  A May 3, 2012, article in the Wall Street Journal reveals that Global Payments may have underestimated the number of cardholders who were affected by the recent data breach as well as the breadth of the breach.  Initially, Global Payments stated that less than 1.5 million card numbers were accessed.  Now, it appears the breach may have affected as many as 7 million users.  The increase appears to be a result of new information showing that the hackers had access to the customer data since the spring of 2011, far earlier than the January 2012 estimate provided by Global Payments.  As the Journal points out, “[t]he data breach’s wider scope underscores how hard it is to assess the damage that follows hacker attacks.”

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.