Monday, June 20, 2005

Security? What Security?

Picture credit:
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueIT-Director's Robin Bloor has some choice commentary on the news that CardSystems may have exposed some forty million accounts to cyber-crooks:

...The secret is out "corporate America is inadequately protected against data theft." I think there's a crisis in the making – in fact, there is. The news is not good for you and I, but it is for the IT security vendors, who have clearly not been selling enough of their fine products to stop the rot.

On Thursday of last week the US FTC (Federal Trade Commission) pronounced judgment on BJ Wholesale a company that had failed to protect customer data from identity theft. Its judgment was that BJ Wholesale should undergo a security audit every 2 years for the next 20 years. This doesn't sound like much of a penalty, but there can be little doubt that BJ Wholesale is going to have to spend heavily on IT security. It will cost them many green dollars, and woe betide BJ if it fails any of these audits...

[CardSystems' stolen forty million accounts] ...sounds more like a spirited attempt to get into the Guinness Book of Records than a security breach ("What, ChoicePoint only exposed 140,000 identities? We'll show them").

The press reports suggest that CardSystems was targeted by hackers, which seems highly likely. However, it is all a little confused as some reports claimed that the vulnerability was caused by a virus attack. Right now the full details may not be known. It was MasterCard that uncovered the problem. In investigating fraudulent transactions, it was able to deduce where the data was being stolen. Hats off to MasterCard. Visa and American Express, who also had millions of customers affected, should thank them.

MasterCard is, however, deeply unimpressed with CardSystems. It says that CardSystems was storing card holder's account numbers and security codes on its computers in violation of MasterCard rules...

Robin Bloor: Security? What Security?

No comments: