One of the most common discussions I have with other data professionals is “why do we keep having so many silly data breaches?” It seems to me that the data put at risk is done so by sloppy IT practices and negligent employees, not always via hackers and fraudsters. In this case, it appears it was both. Reports and rumours point to insecure system admin practices and outside hackers. We don’t know for certain, because in the US data breach laws are patchy and weak.
Usually the discussion comes around to talking about US companies not having to face many consequences for failing to protect our data. Take a look at this quote about the GlobalPayments breach of 1.5 to 7 million merchant account holder data:
Global says it has now paid all fines related to non-compliance and has reached resolution with certain card networks, although it did not specify which ones. The processor also says its business has not suffered as a result of the breach.
“The impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial,” Global states. “We continue to process transactions worldwide through all of the card networks.”
Global has spent almost a hundred million dollars on this breach and expects to have to shell out another $25-25 million in 2013. And yet with those numbers they don’t believe it has had a negative impact on their business.
Global handles Visa and MasterCard payment processing of about $120 billion (yes, with a “b”) in payments annually.
Their annual report also seems to imply that they were not PCI-DSS compliant when the breach occurred and Global has been removed from the list of organizations that is compliant. So billions of dollars and millions of account information pass through their non-compliant networks. Because it can.
I wish more companies would treat our data as something that needs to be protected.