Sister CISA CISSP

Aug 27 2008   4:27PM GMT

“Over-Reacting” to Data Breach Reports

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

After Benjamin Wright’s comments on my previous post about Best Western, I hopped on over to his blog and took a look at his point of view.

Speaking from a consumer point of view, I find cold comfort in the drop in numbers from “possibly 90 million” to “only” 40 million credit card numbers being stolen from TJX. He makes a good point about the actual theft losses (as far as we know) committed with the stolen data as “only” about $1 million, and complains about the fines imposed and the over-reaction of Banks (by issuing new cards and forwarding the resulting costs to TJX).

The problem is, the Banks can’t wait around to see which ones of the 40 million accounts are used to commit fraud, or even how many of the accounts are “finally” used to commit fraud. That number is an unknown, especially if all the cards were NOT closed out. The banks did what they had to do, and TJX should pay for it. I certainly would not want to used a card with a compromised number and the possibility of being charged for something I didn’t buy, and the resulting hassles.

Did the FTC over-react? Did the economy need a crisis in consumer confidence? Did TJX get used as a “power-of-example” by VISA?

As an auditor and engineer, it bothers me when I see that vendors don’t know who accessed their data, or how much of it was lost. It tells me good controls are not in place. See Rule # 5

I’d like to see a list of companies from VISA that are NOT compliant. Or even a list of companies that are compliant. You could check before you purchased anything online. That would motivate business, I’m sure. Is compliance the same thing as good security? Absolutely not. Just ask Hannaford. However, “It’s better than snowballs in summer,” as my father-in-law likes to say.

Back to Best Western: there IS a question in my mind as to whether the report is more hyperbole than what may have happened. It’s unclear to me. Access via one machine and one account may not have given up all the information. Unfortunately we may not get to know the truth. It would be nice to know, but it may give up too much information for Best Western to release the facts about their systems.

Benjamin is right that I may have commented too quickly. The report from the Sunday Herald leaves out a LOT of details and a lot of people on the web have jumped all over it, too. (Insanity in numbers is always helpful). So we will need to wait and see. Unfortunately, given the track record of business, it’s hard to be hopeful. I will hope I’m wrong.

UPDATED Check out Best Western’s excellent response to the incident.

Eigen – Being wrong and liking it.

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Benjaminwright215
    Arian: As a society, we need healthy debate about how to respond intelligently to breaches. We have discovered that data breaches are as common as thunderstorms. They happen all the time. They can be dangerous, but they aren't always dangerous. It is irresponsible for law and legal practice to bury consumers with an excessive number of [A href="http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html"]data breach notices, announcements and card cancellations[/A]. --Ben
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: