The list of companies falling victim to - and then going public about - data theft continues to grow. The latest case, discovered by security staff at MasterCard, involves a breach at one of the credit card provider's data processing partners, CardSystems Solutions. According to MasterCard, security flaws in the data processor's systems let an unauthorised individual access card data - putting up to 40 million MasterCard, Visa and American Express users at risk.
CardSystems is now under the scrutiny of the FBI and the Federal Financial Institutions Examination Council banking regulator in the US. These agencies are carrying out separate investigations to assess whether CardSystems' computer systems and internal controls met government security guidelines.
This must be a frightening prospect for any organisation, as the investigations could uncover unknown vulnerabilities or other breaches. They are also likely to affect the firm's daily operations and put pressure on its manpower and other resources if it has to help the agencies to retrieve required information.
CardSystems joins information clearing house ChoicePoint, Bank of America and the universities of California and Stanford in reporting recent data breaches. Even the US government's Federal Deposit Insurance Corporation (FDIC) has joined the party - a case all the more awkward as this agency was set up to "preserve and promote public confidence in the US financial system".
What is notable is that all these organisations are based in the US. Some may reason that firms in the US are much more lax in protecting their customers' data and so fall victim to security breaches more often; or that our US counterparts are less concerned about their public reputations and the potential damage to share prices that could result from news of security breaches.
However, the reality is that legislation in some US states forces businesses to disclose security breaches involving customer data. The Security Breach Information Act was passed in 2003 after a California state government computer storing payroll information on 200,000 workers was breached. The law requires organisations to disclose IT security breaches that lead to the exposure of any California resident's personal data - whether the firms are based in the state or not.
As other states prepare to adopt similar regulations this year, there is speculation that the law will be rolled out nationwide in the US in the near future. But while the US is tackling security breaches and forcing organisations to come clean - California is already looking to remove a loophole so that data exposures via theft of backup tapes or paper records will also have to be reported - the UK government has been slow to act. We have yet to implement a similar law to reassure the UK public that if firms fail to protect personal information the incidents can't be swept under the carpet.
But this could change soon. If the US law goes nationwide, a European version is likely to follow. Although UK firms won't welcome the idea of joining CardSystems in facing rigorous scrutiny, they might be encouraged to take a little more care of security. It might also become easier for IT managers to get funding for any oft-requested IT security improvements that have so far failed to interest the board.
Have your say, here:
