Posted by: David Schneier
breach, compliance, data breach, data security, GLBA, PCI, regulations, regulatory, Regulatory Compliance, Security
Two weeks ago, about two hours before departing on a long weekend trip to welcome back baseball in Florida I received an email from my bank indicating that there’s been suspicious activity on my Visa check card and that it’s been suspended. Considering that under normal conditions I think my families spending is a bit unusual I figured it was just a mix up. I mean, during most weeks I can fill up my car in four different states, make purchases in five and buy an impressive assortment of merchandise spanning the full range of the consumer spectrum.
So I called up in an attempt to resolve things and was informed that it wasn’t my spending that caused a problem, it was the fact that one of the vendors I completed a transaction with reported a breach. Because my card number was potentially included in that breach I was shut down. I was fortunate that my bank is setup to help customers manage these situations fairly effortlessly (I don’t love them most of the time but this event won them some points with me) and after a brief stop at a local branch I had a temporary card and was able to continue on my trip.
A few items of note surfaced as a result of this experience. The first is that my bank would not reveal the vendor that reported the breach. The customer service representative I spoke with claimed that she didn’t have access to the information which I sort of believed. But when I asked how I could find that information out she replied that they typically don’t share it. I thought that a bit odd. Shouldn’t I as a consumer be able to make informed decisions about who I do business with? I should be able to find out who the vendor is so that I can decide whether or not I’ll continue to give them any of my hard earned dollars. The second thing that I found curious was how seamlessly the replacement process was. They had a stack of temporary cards about five inches thick and a process so well defined and efficient that it almost seemed like I was asking to borrow a pen so I could sign something. When I returned to the car my son who had been waiting for me assumed they weren’t able to help me because I was out so fast. How often does this sort of thing happen? And to make their degree of efficiency that much more notable a friend of mine experienced something similar and it took her bank over a week to get a new piece of plastic into her hands.
I recognize that this is a sign of the times we now live in. We use plastic everywhere, our sensitive account information is digitized all over the place and security controls protecting that information are only as strong as their weakest link. It’s why you’ve heard me say many a time that requirements like PCI are an excellent starting point but by no means the end-all to be-all for securing the perimeter. All it takes is one USB storage device to go missing, one new appliance added to a network with default values unchanged, one person printing off a report with NPPI and forgetting to pick it up from the printer and viola, a breach is born.
I’m frequently onsite at clients of wildly varying sizes and I find something every day that makes me realize that sometimes the best weapon against a company being embarrassed by some sort of exposure is just dumb luck. Regardless of whether they have a well formed team of risk and compliance folks working hard to protect information assets or just a single person serving in a related function it comes down to human nature both in terms of those not following the rules and those who are ready to exploit that fact. A prime example is that when I find sensitive information left exposed I collect it and either dispose of it properly or lock it up to share with the appropriate party as a “for instance”. However in those places where less honest people make similar discoveries that same information becomes a commodity to be sold to those who indulge in things like identity theft. Like I said, it comes down to pure dumb luck.
And so I’m left wondering if my now deactivated and defunct bank card was the victim of human nature, a sophisticated scheme to access otherwise properly secured sensitive information or just plain incompetence. And while I’m glad that my bank was swift to react and protect me I wish they’d extend that to also inform and educate me as well. I mean honestly, if I’m going to be forced to memorize a whole new series of numbers shouldn’t I at least be allowed to know who’s to blame?