Unless you work for a bank, you probably missed the news about the latest credit security breach. Last month, 1.5 million credit-card accounts were stolen from Global Payments, an Atlanta-based company that processes payments for Visa and MasterCard. Details of the break-in remain sketchy, but as of early last week the company confirmed the security breach, insisting that no cardholder names, addresses, or Social Security numbers had been compromised. (In response, Visa deleted Global Payments from its list of secure companies, and MasterCard warned customers about the security breakdown.)
But experts say that the break-in is a big deal and could nudge us closer to a federal breach-disclosure law. Avivah Litan, a security analyst for consulting firm Gartner, says Global Payments is one of the largest payment processors in the country and that the breach is just the latest in a string of credit-card-security failures that have plagued corporate America. “It’s like the presidential assassin getting through security all the way to the Secret Service,” she says. “It’s serious.”
For now, the incident appears small compared with megabreaches like the one that exposed more than 100 million credit-card accounts from Heartland Payment Systems in 2008. “But it brings into question the very security of the credit- and debit-card industry and whether or not it’s safe to use such payment cards,” says Beth Givens, director of the Privacy Rights Clearinghouse, an organization that tracks data breaches. Federal law protects credit-card purchases, but Givens is worried about any debit cards that may have been exposed. “The law that governs debit-card fraud is not as protective of consumers,” she adds.
Observers are also concerned about the timing of Global Payments’ disclosures. The company insists it notified all parties and contacted law enforcement in early March when it discovered the break-in. “We did not delay,” says company spokeswoman Amy Corn. Yet it took another three weeks for the news to reach the public, and it wasn’t the company but a security blogger named Brian Krebs who broke the news. It follows a pattern common among other data breaches: customers who may have been affected by the data theft are often the last to know, and they find out weeks—sometimes months—after their credit-card information is extracted.
Krebs says many questions about the Global Payments break-in remain unanswered, including the actual number of exposed accounts and the exact timing of the breach. “The number of transactions or card numbers potentially exposed is probably far larger than the 1.5 million number they are citing,” he says. But the biggest unknown is whether this breach will be the one that finally pushes lawmakers to pass a federal data-breach-disclosure law. Previous efforts, most notably a proposed 2009 law that would require disclosure within 60 days of a breach, failed. But the idea is now gaining traction. Europe is mulling a 24-hour breach-disclosure requirement. And last year, the White House included a national data-breach reporting law as part of its legislative cybersecurity proposal. As more details of the Global Payments breach come to light, will it propel us closer to a disclosure rule? Says Litan: “That would be my hope.”