MasterCard and Visa are investigating a massive security breach of Global Payments, an Atlanta based processor of credit-card transactions, which disclosed it had been hit by hackers. What’s most shocking here is that breaches happen so often that it’s not shocking anymore. This time, over 50,000 Visa and MasterCard cardholders may have had their personal data stolen. Although the breach details are not yet disclosed, people familiar with the investigation estimated that it could be hundreds of thousands.
The breach is an example of why PCI DSS compliance is inadequate. In spite of growing profits and huge revenues in billions of dollars, companies such as Global Payments are focusing more on doing the minimum to obtain compliance certification than on really protecting their customer data. If companies don’t implement enough controls to protect sensitive data, it’s only a question of when, not if, a breach will happen as cybercriminals are becoming highly advanced and organized. A small missing technical control can become executives’ worst nightmare since such breaches significantly impact reputation, revenue and stock price.
One of the best quotes I’ve heard has come from David Lazarus of the Los Angeles Times, in his Money Minute: Another Day, Another Data Hacking:
This latest breach — collect them all — highlights yet again the vulnerability of sensitive info in the Internet age, and the clear fact that the corporate stewards of our data aren’t doing enough to keep things under wrap.
What more could they do? They could encrypt all databases…
At CipherCloud, we couldn’t agree more! It’s time for organizations to take greater responsibility for the protection of their customers’ sensitive data, regardless of where it resides—behind their firewall, with a business partner, or in the cloud. Demanding that businesses encrypt sensitive customer data is a step in the right direction.