Global Payments Breach: Too Few DetailsProcessor Ends Investigation; Reveals Little
Wow. That was disappointing.
See Also: MITRE ATT&CK Evals Explained
I sat in on Global Payments Inc.'s July 26 earnings call, during which the processor had promised to reveal the latest details about its own investigation into the data breach that struck its network earlier this year.
It's just not sufficient to come out and say 'Our investigation is complete,' but then reveal none of the investigation's findings.
And let me say there was some build-up to this call. Global Payments has been fairly tight-lipped about this incident ever since executives first confirmed the breach back in April. The company set up a dedicated website, 2012infosecurityupdate.com, for updates about what executives now refer to as the "data intrusion." And Global confined its public comments to press releases and FAQs posted on that site.
Meanwhile, in the absence of formal comments from Global, there has been broad speculation by outside observers about how the breach occurred, what information was and wasn't accessed, and whether the incident impacted anywhere from 1.5 million to 10 million payment cards.
In a June 12 update, Global said the breach may have been broader than initially reported, and hackers may have gained access to servers containing personal information collected from a subset of merchant customers. At that time, Global CEO Paul Garcia said the processor had made "substantial progress" in its internal investigation of the breach, and that more details would be revealed at the July 26 earnings call.
Well, here are those eagerly awaited details:
- The investigation is complete;
- Remediation has begun;
- Global is working hard to regain its PCI-compliant status;
- The breach so far has cost Global $84.4 million.
That's it. Like I said, disappointing. So much was left unsaid about the breach, and if I were a Global customer or card-issuing institution, I'd have some serious follow-up questions. Like, how exactly did this "data intrusion" occur? When did it occur - early this year, or as far back as mid-2011, as some fraud alerts have suggested? How many accounts were affected, and exactly what type of data was accessed? What will Global's remediation efforts include?
I understand that Global's executives can't reveal everything they've uncovered in their investigation. But there's got to be a productive middle ground between everything and virtually nothing. It's just not sufficient to come out and say, "Our investigation is complete," but then reveal none of the investigation's findings.
Breach response is tricky business, and no organization really knows how it will handle a breach until it's in the thick of it. I spoke recently about this topic with Michael Bruemmer, vice president at Experian Data Breach Resolution. He talked of the reputational hits that breached organizations take when their responses are perceived to be either too slow or poorly managed.
"The overall financial impact to a company of a data breach can be minimized if the response is done well," Bruemmer said. "The company, employees and shareholders all benefit from that correct response."
In Global's case, let's give credit where it's due: the company responded to the initial news with urgency. But since then, it has done far too little to answer open questions and end wide speculation about the nature and scope of this high-profile breach.
During this latest earnings call, Garcia used a baseball analogy to describe post-breach activity. "It's a double-header," he said, and so far only game one - Global's own investigation - has been played. The second game involves working with card organizations to determine liability, and then to regain certification of PCI compliance. "That game is in the bottom of the second," Garcia said.
Well, if that's the case, then this is a twilight double-header, and it's time to turn on the lights. None of us clearly sees what's happening on the field, and the darkness is distressing.