Global Payments Data Breach Tab: $94 Million, Plus More in 2013

One of the most common discussions I have with other data professionals is “why do we keep having so many silly data breaches?”  It seems to me that the data put at risk is done so by sloppy IT practices and negligent employees, not always via hackers and fraudsters.  In this case, it appears it was both.  Reports and rumours point to insecure system admin practices and outside hackers.  We don’t know for certain, because in the US data breach laws are patchy and weak.

Usually the discussion comes around to talking about US companies not having to face many consequences for failing to protect our data.  Take a look at this quote about the GlobalPayments breach of 1.5 to 7 million merchant account holder data:

Global says it has now paid all fines related to non-compliance and has reached resolution with certain card networks, although it did not specify which ones. The processor also says its business has not suffered as a result of the breach.

“The impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial,” Global states. “We continue to process transactions worldwide through all of the card networks.”

via Global Payments Breach Tab: $94 Million – BankInfoSecurity.

Global has spent almost a hundred million dollars on this breach and expects to have to shell out another $25-25 million in 2013.  And yet with those numbers they don’t believe it has had a negative impact on their business.

Global handles Visa and MasterCard payment processing of about $120 billion (yes, with a “b”) in payments annually.

Their annual report also seems to imply that they were not PCI-DSS compliant when the breach occurred and Global has been removed from the list of organizations that is compliant.  So billions of dollars and millions of account information pass through their non-compliant networks.  Because it can.

I wish more companies would treat our data as something that needs to be protected.

Data Modeling and Metadata–A Great Match

Craig Mullins ( @craigmullins | blog ) has written a post about how data modeling supports metadata management and therefore better IT systems.  You may know Craig through his evangelism about DB2 and Database Administration.

So how do you ensure that you are exploiting the metadata you are collecting to the fullest, possible extent? How do you make sure that your metadata is easily accessible and effectively used across your organization? Well, this is where modeling comes in to play. Modeling is important to metadata management.

Effective communication is at the heart of the metadata value proposition. Data managers must be able to interpret the data coming into their organization and then provide a roadmap to everyone else so that they too can reach their destination. Modeling adds value to metadata management much the same way it does for data itself — by serving as a  standardized language, easily understood by everyone from business users to application developers to DBAs.

It’s always good to see people on the more technical side of data management (databases and technology) appreciate and support data modeling efforts. You should read his whole post, then leave him a comment.

Health Data Breaches – Insider Data Trading?

It seems like the majority of health data breaches I read about are via insiders with access to patient information systems stealing and selling their data.

Federal authorities say Sergei Kusyakov, who was involved with Metro Chiropractic and Wellness Center and City Lights Medical Center, illegally obtained private information about patients through Dale Munroe II and his wife, Katrina Munroe, who worked at Florida Hospital’s Celebration campus.

Authorities said Dale Munroe accessed more than 763,000 records for patients treated at various Florida Hospital locations. He focused on patients who were in automobile accidents, and inappropriately reviewed in detail more than 12,000 patient records.

via Florida Hospital patient data theft: Man admits to paying hospital employees to steal patient data – OrlandoSentinel.com.

The interesting part of this is that first it was the husband stealing the data, then when he was fired, his wife took up the work.  I would think that there would have been better monitoring of her data access in this case, given the highly-sensitive nature of the data.

Does your organization sufficiently monitor data access to sensitive data?  Are you told that you should be using production data for testing of IT development solutions?  Do you know that may be illegal in some jurisdictions?  
I’ve always refused to accept production data for testing purposes.  I think if all data professionals would do that, it would help everyone understand just how risky it was.

Loving your data involves protecting it, too. It’s our job as data professionals to ensure organizations do that.

Nerds are the Biggest Danger to America

I’m pretty sure this is how most business people feel about IT.  We should feel their pain a bit more, then work with them to solve their problems.

I wonder what hidden cameras in non-IT meetings would show us about what they think of us, really.  If you have time, go dig into the comments on this video, too.

An Audible Data Privacy Breach

RI labor dept. warns of possible privacy breach.

I think about data encryption, physical access controls to servers and such on a regular basis. But there are all kinds of formats via which data gets stored or communicated.  The Rhode Island Department of Labor recently had a data breach involving their call center.  Customers were able to hear conversations on other calls.  The department estimates fewer than 700 people were affected.

• Paper forms in which data is originally collected.  Think membership forms, applications, feedback and suggestion forms.  I remember seeing a binder full of membership forms being used to prop open a door on the sidewalk in front of a store.  When I pointed out to the manager that this was a problem, he shrugged and said it wasn’t a problem because all the data had already been keyed in and therefore no longer had any value to them except when the systems were down.
• Video and photographs.  The advent of video analytics and photo analysis means that we are collecting, storing, and putting at risk more data than ever before.  I remember seeing a retailer’s security video tapes sitting all lined up on a counter at the back of a store.  The only thing that made this somewhat safe is that most likely the security system was probably so poor it would be impossible to determine who was on those videos.  But now video analytics allow retailers to determine when you visit their store, who you shop with and what products interest you.
• Conversations.  Yes, all those "may be recorded for quality purposes" call center calls are most likely chock full of your personal information.  I worry how well those data sets are being protected, too.

I believe our role as data professionals should go beyond protecting the data held in a traditional database.  Because I’m not sure anyone else is even considering that data.  And I’d bet the bad guys are betting that no data professional is involved in protecting it.

Love your data.  Love your customers’ data, too.