EDITOR'S DESK: Data heists: Compliance remains the weakest link
The news last month that 40 million credit card accounts had potentially been compromised, and records for 200,000 had been stolen, was perhaps the most stunning example yet of the challenges of cybersecurity.
Forensic experts and the FBI are still investigating the security breach. But initial reports illustrate the measures already being taken to secure financial networks and what can go wrong when system users fail to follow rules.
This latest incident took place at one of the hundreds of companies that process MasterCard International, Visa and other retail credit card transactions. Cyberthieves by- passed several security layers and installed programming on the computer systems of Tucson, Ariz.-based CardSystems Solutions. The thieves hit the jackpot, extracting account data from a file that included the three- or four-digit security codes used for card transactions. Those codes command up to triple the price of standard credit card numbers on the black market.
Few organizations have invested more in securing their computer networks than MasterCard and Visa. Both have long-established policies governing how merchants and processors must operate on their payment networks'and require regular certified security audits. They have also spent millions of dollars on new fraud detection software and computer system upgrades to stem the rising tide of phishing attacks and other scams.
In the end, though, it was a failure by CardSystems to comply with MasterCard's rules that allowed unencrypted data to fall into the hands of thieves.
Given how much the banking world in- vests in network security, this latest data heist offers a sobering lesson to those in government charged with protecting data.
At the very least, it suggests that to combat the increasingly savvy underworld of cybercriminals, it will take more than appointing a chief security officer and implementing stricter controls. It will also demand much higher levels of commitment'and funding'to support stronger safeguards against network intrusions, and better systems for monitoring and enforcing cybersecurity compliance.