Global: A Lack of Breach Transparency
Processor Promised Updates, But We've Heard LittlePayments processor Global Payments has done a poor job of handling communications in the wake of its data breach.
See Also: How to Take the Complexity Out of Cybersecurity
When news of the breach broke, Global executives made a big deal about the incident being "self-discovered" and "self-reported." They also said they were committed to keeping the public and the financial industry informed, announcing a special website for updates. Instead, Global has been less than forthcoming with information. Far more information about the breach has come from external sources. And information from those sources has contradicted what Global has reported.
For Global, the lack of transparency is damaging. The company would be far better off if it kept card issuers and the public informed. A proactive approach to sharing breach details, rather than a largely "no comment" stance, would help the processor maintain its reputation.
Other processors, as well as banking institutions, should make sure they're well-prepared with a detailed post-breach communication plan before they experience a security incident.
The Unfolding Story
Let's take a look at the evolution of the Global breach.
Following widespread news reports beginning March 30, Global Payments on April 1 publicly shared details about a breach it said likely exposed non-sensitive card data linked to 1.5 million debit and credit accounts. Chairman and CEO Paul Garcia said the breach was "manageable" and that his company was taking every precaution to ensure affected cardholders and issuers were protected and kept informed.
"We are making significant progress in defining and rectifying the event," he said.
During that April 1 call, Global announced the launch of a microsite dedicated to consumer updates about the breach. Global has updated the site periodically - as recently as May 1 - clarifying some of the details surrounding its breach. (See Global Breach: Did It Start in 2011?)
But finding the microsite is difficult, unless you know the URL. It's searchable on Google, but only if you enter "2012 Information Security Update," and the only link about the breach readily visible on the Global Payments home page points to the April 1 press release, which includes no link to the microsite.
Nothing from the Global website or microsite can be copied and pasted, thus nothing is easily shared. And Global has repeatedly stated, as new details about the breach have emerged from external parties, that it has no further comment, pointing reporters back to the microsite.
To be fair, there are some informative links on Global's website that relate to the breach and are a bit easier to find than the consumer microsite. Links to common phishing and identity theft FAQs and small-merchant Payment Card Industry Data Security Standard recommendations are available, but require more than one click to locate.
Global's Breach: What Really Happened?
Global said it discovered the breach in early to mid March and suggested that the discovery was made shortly after the breach occurred.
But here's what we now know, based on industry sources:
- Visa and MasterCard alerts issued in March suggested the intrusion took place sometime between Jan. 21, 2012, and Feb. 25, 2012. On April 26, updated advisories pushed the breach date back to June 7, 2011. And new advisories issued this week suggest January 2011 was the more likely exposure month.
- The Global breach is likely to have exposed far more than 1.5 million cards; some sources estimates suggest the number is probably closer to 7 million. The breach also could have exposed more sensitive card data than Global suggested, including details like security codes used for card-not-present transactions, such as those made over the Internet.
Transparency and full disclosure, within the bounds of investigation reasonableness, is important when beaches occur. But I don't think we're anywhere close to understanding the impact of this breach. And, sadly, it appears that we won't be able to rely on Global to tell us.
A proactive approach would have benefitted Global. But the experience should serve as an example for other processors and institutions.
The lesson: Being prepared, with detailed post-breach communications plans, can salvage reputation and reinforce consumer confidence.