The 2005 Hall of Shame - ' Security' (
Page 2 of 2 )
? No Worries!">
The big question: What can entice companies to beef up security? Bad press and stock declines usually do the trick, but peer pressure such as the Hall of Shame can be an even more effective motivator in The Year of Living Dangerously.
it would have taken a screw-up of truly massive proportions to keep CardSystems out of the Hall of Shame. Forty million credit-card numbers were at risk after an unauthorized individual infiltrated the company's network. CardSystems discovered the breach on May 22 and called the FBI the next day.
Details about the incident are still sketchy. MasterCard, Visa, American Express and CardSystems didn't initially comment on the incident, but CardSystems later confirmed that Visa planned to cut ties to the company as of Oct. 31.
MasterCard and Visa noted soon after the breach that CardSystems violated their security protocols by storing account numbers after processing transactions. Why was CardSystems allowed to operate if it wasn't in compliance with card issuer security standards? Apparently, CardSystems met Visa's security standards in June 2004, but subsequently began holding more data than it could protect.
After it was hacked, CardSystems said it installed "enhanced/additional security procedures" such as encrypting information transmitted and stored on its network and installing a series of firewalls to prevent data leaks.
On Sept. 1, CardSystems announced that it had gotten a clean bill of health from AmbironTrustWave, an independent data security assessment firm. CardSystems CEO John Perry said in a statement that Ambiron "audited the security of our network, the steps that our 110 employees take to safeguard cardholder data, our vulnerability management program, our information security policy and our ability to regularly monitor and test our network."
A Fight for Survival
Following the data breach, CardSystems had to deal with two issues: the specter of Visa abandoning the firm, and its future as an independent company. On Sept, 23, CyberSource Corp., an electronic payment processing company based in Mountain View, Calif., signed a letter of intent to acquire CardSystems for an undisclosed amount.
CyberSource intended to buy CardSystems' payment processing platform and connections to banks and credit-card networks that process transactions for 120,000 merchants. That deal, however, fell apart on Oct. 15 over "the inability of the parties to reach agreement in a timely manner," according to a statement from CyberSource.
Instead, Pay By Touch, a San Francisco company whose payment processing systems use fingerprints to authorize credit and debit transactions, bought CardSystems on Oct. 15. Terms of the deal weren't disclosed.
Pay By Touch CEO John Rogers says the company plans to add CardSystems to its existing merchant processing services business. Pay By Touch will also look to sell its products to CardSystems' customers.
The Pay By Touch deal bought CardSystems more time to get its house in order and convince customers to stay. For instance, Pay By Touch says Visa has extended its Oct. 31 exit date to Jan. 31 to allow the deal to close.
2005 Inductees
CARDSYSTEMS
The company discovered in May
that 40 million
credit-card numbers it had been storing had been exposed to hackers during a security breach.
BANK OF AMERICA
The bank disclosed in February that it lost backup tapes containing 1.2 million federal-employee records. In September, it had to inform users of prepaid Visa Buxx debit cards that sensitive information such as bank routing numbers, names and credit-card numbers may have been breached after the theft of a laptop in August.
CHOICEPOINT
Company in November said that 162,000 Social Security numbers and credit histories were stolen by crooks posing as businessmen.
DSW SHOE WAREHOUSE
The company reported in March that between mid-November 2004 and mid-February 2005, transaction data such as transaction amount and account numbers on 1.4 million credit-card accounts and 96,000 checks was stolen.
FEDERAL DEPOSIT INSURANCE CORP.
The federal agency responsible for protecting bank accounts said in
June that it informed 6,000 present and former employees
that personal information such as Social Security numbers and dates of birth had been stolen in 2004.
LEXIS-NEXIS
Company said in April that 59 intrusions resulted in a haul of 310,000 customer Social Security numbers, driver's license numbers and addresses.
POLO RALPH LAUREN
The fashion icon stored transaction data in its point-of-sale systems and lost personal data such as credit-card numbers for 180,000 HSBC North America accounts. Customers got the news in April.
UPS
"Brown" didn't do it for Citigroup in May, when the shipping company says it lost a box of backup tapes containing the credit records of 3.9 million Citigroup customers.
UNIVERSITY OF COLORADO
The University of Colorado-Boulder admitted three foul-ups. On July 21, it reported that a health-center server with identifiers such as addresses and dates of birth for 42,000 students was compromised, along with the results of 2,000 laboratory tests. On Aug. 1, the school said servers with Social Security numbers, names and photographs of 36,000 students, staff, faculty and research associates were breached. And on Aug. 19, a registrar database containing "ancillary information" on
49,000 students
was compromised.
WACHOVIA
A man in Edina, Minn., received the 1099 tax forms of 73 individuals who held escrow accounts at the bank.
|
|
Projects: Security 
