Case Analysis: Global Payments Breach

 Summary

A data breach at a credit card payments processing firm Global Payments potentially impacted 1. 5 million credit and debit card numbers from major card brands Visa, MasterCard, Discover and American Express (money. cnn. com) in April 2012. Company Background Founded in 1967, Global Payments (NYSE:GPN) is one of the largest electronic transaction processing company based out of Atlanta, GA and operations in several European and APAC regions.

The company provides business-to-business card payment and processing solutions for major card issuers such as Visa, Master Card, Amex and Discover.

The company also performs terminal management and electronic check conversion. Security Breach Exactly a year ago, in March 2012 the company was hit by a massive security breach of its credit card payment processing servers impacting more than 1. 5 million customers (nytimes. com). The company reported unauthorized access to its processing system resulting in data transfer of 1,500,000 card numbers.

According to the company report, data stolen includes name, social security number and the business bank account designated for payment processing or deposit services.

As a result of unauthorized access to the company’s servers millions of customer confidential records got exported. Cost of Security Breach While this data breach is not the largest of the cases, Global Payments data breach turned out to be a $93. 9 million deal according to the company’s Jan 8th 2013 quarterly report (bankinfosecurity. com). This is mainly spent in enhancing security and ensure compliance with Payment Card Industry Data Security standard.

The company hired a qualified security assessor (QSA) that conducted an independent review of the PCI-DSS compliance of Global Payments systems and advised many remediation steps for its systems and processes.

The company also paid fines related to non-compliance and has reached to an understanding with several card networks. The majority of the expenses, $60 million were originated out of professional fees while $35. 9 million was estimated to be fraud losses, fines and other charges imposed by credit and debit card networks.

However the company received $2 million in insurance recoveries. There could be additional expenses of $25 to $35 million in reminder of 2013 due to investigation, remediation and PCI compliance.

Closer Look at Control Issues

While the company would like to conceal finer details of the investigation a closer look into this case clearly reveals a fraud triangle of pressure, rationalization and opportunity. It is highly likely that an insider played a major role in exposing security vulnerabilities of the company’s information technology systems and lack of proper monitoring mechanisms.

Lack of proper internal controls resulted in the insider making use of the opportunity to commit fraud. The case clearly indicates that either system monitoring mechanism was inadequate and could not prevent the data thief to get access to PCI data. It is not clear whether high level data encryption was implemented for personal data such as social security numbers and bank accounts. Steps to mitigate data breach A number of precautionary and data protection measures should be taken to ensure PCI compliance and prevent such a massive data theft (sans. rg).

1. Establish multiple levels of data security specifically for personal information such as customer account numbers, social security numbers, customer addresses, phone numbers etc. , This includes creating authorization algorithms and every data retrieval gets logged and reported.
2. The data should be encrypted by utilizing best of data encryption methodologies to protect both data at rest and in transit. Data at rest is the information residing in database and file servers and even in personal computers. On the ther hand, data in transit refers to data moving across local and wide area networks.
3. Identifying all the sensitive data that needs encryption is the first step in protecting data based on the data classification policies.
4. Locate data at rest and data in motion and then apply techniques such as eradication i. e. removal of unnecessary data lying in file systems or personal PCs; obfuscation of data to ensure it is not in readily readable format and finally encrypt by employing industry standard data encryption techniques.
5. Follow PCI-DSS requirements for financial data a. PIN blocks, CVV2 and CVC2 card verification data cannot be stored at any time. b. All sensitive information must be encrypted during transmission over networks that are main targets for hackers. c. Ensure that security related technology is resistant to tampering and do not disclose any security related documentation. d. Ensure sound and practical policies around data generation, updates, deletion, storage and archival of cryptographic keys e. Ensure that data exchange is conducted over a trusted path that follows high controls and confirms to authenticity of content.

Conclusion

The numbers of cyber threats are increasing at an alarming level and a small overlook on company’s behalf is enough for hackers to steal confidential data and put consumers at risk. In today’s high tech world of information technology customers information is at high risk of breach and any company both private or public involved in dealing with financial data has to ensure highest level of regulatory compliance to protect consumers interest, maintain their trust and finally run as an ongoing concern

References

1. Jessica Silver-Greenburg, Nelson D Schwartz (March 30 2012). “Master Card and Visa Investigate Data Breach” New York Times. Retrieved 2013-03-17.
2. Information Security Group (January 10 2013). “Global Payments Breach Tab: $94 million”. www. bankofsecurity. com. Retrieved 2013-03-17.
3. Julianne Pepitone (April 3 2012). “1. 5 million Card numbers at risk from hack”. www. money. cnn. com. Retrieved 2013-03-17
4. Dave Shackleford (November 2007). “Regulations and Standards: Where Encryption Applies”. www. sans. org/reading/analyst_program/encryption_Nov07. pdf