Latest data breach may fuel the push for federal regulation of data security

By David
June 21, 2005

The NY Times has more information (and two follow-up articles) about the staggering loss of data at a credit card transaction processing company that came to light over the weekend:

The security breach was first reported Friday when MasterCard International said a lapse at CardSystems had allowed the installation of a rogue computer program that could extract data from the system, potentially compromising 40 million accounts of various credit cards.

MasterCard said Saturday that 68,000 of its own account numbers were especially at risk because they were in a file found to have actually been “exported from the system.” CardSystems said yesterday that the file also contained data from other cards in proportion to the volume of business it handles from each company. That would translate to about 100,000 Visa accounts and roughly 30,000 others […]

An official of the company in question, CardSystems Solutions, has admitted that the company should not have been in possession of the information that was stolen in the first place — retaining such data is a violation of Visa and MasterCard policy, which prompts one to wonder about CardSystems Solutions’ decision to violate established security policy by retaining the data for what it calls “research” purposes.

Whatever the case, there is little doubt that this breach will heighten the speculation among policymakers about the effectiveness of many of the current security policies employed in the commercial sector. Many privacy advocates will also see this incident as further evidence of the ineffectiveness of industry self-regulation in general.

The article also points out that the compromised information was not encrypted. We’ve wondered in this space before why it isn’t simply standard operating procedure to encrypt data like credit card account information, Social Security numbers, and other sensitive personal information. Sound, well-implemented encryption could certainly lessen the potential for harm when data breaches do occur. Indeed, the California law which is largely responsible for the recent string of data breach notifications, even includes an exemption if the data that is breached is encrypted:

1798.82. (a) Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.