Third-party testing is critical to the security of the work’s online banking and e-commerce systems, but is obviously less valuable if an institution defers it until after an enormous breach has occurred. The CardSystems breach offers a cautionary tale for all institutions handling sensitive financial data. Our interest here should be clearly stated: Netcraft offers a range of advanced security services, including web application security testing and an auditing service to provide onoging detection of new security vulnerabilities and configuration errors caused by system and network maintenance.
But security service providers aren’t alone in viewing third-party audits as the weak link in data protection. On Thursday the U.S. Federal Trade Commission mandated third-party audits for BJ’s Warehouse Club as part of a settlement resulting from a security incident that exposed customer data. The FTC previously took similar action against Tower Records, Microsoft, Guess and Eli Lilly for leaks of customer information.
Weak security could even invite criminal prosecution, as the FTC found that BJ’s lax security was an unfair practice that violated federal law. “This case demonstrates our intention to challenge companies that fail to protect adequately consumers’ sensitive information,” said Deborah Platt Majoras, Chairman of the FTC. Banking regulators are focused on this issue as well.
Then there’s the potential financial cost. Reissuing credit cards costs the issuer about $10 per card, according to industry sources, suggesting a cost of $400 million to replace the accounts affected by the CardSystems incident. Credit card issuers generally don’t replace a card number until evidence of fraudulent transactions is found.
Consumer uneasiness about the security of their data is heightened by suspicions that breaches have been occurring for years without their knowledge. Disclosures of security incidents was rare before the 2003 passage of a California law requiring that customers be notified when their information has been inappropriately disclosed.
The CardSystems breach illustrates the inconsistencies in disclosure policies by credit card providers. While MasterCard made an announcement that 13.9 million of its accounts may have been compromised, as of midday Saturday similar announcements were missing from online newsrooms for Visa, Discover or American Express. Newsreports say accounts at all four providers were affected.