Dependencies Revised: Global Payments Breach

We’ve previously offered our cybersecurity insights about the dangers of dependencies that are not well understood, and it seems likely that this will continue to be a vulnerability source for many commercial and government organizations.

Before their cybersecurity breach that exposed some 130 million card numbers, what average consumer or business had heard of Heartland Payment Systems? Before their breach involving an estimated 1.5 million credit and debit cards, what average consumer or business had heard of Global Payments?

And yet these are two large, NYSE–traded companies — several of the largest credit card back-end transaction processors — responsible for tens of millions of transactions per day.    We may think that, in this modern era, these large sophisticated entities would have data security well in had.  But that would be wrong.  There is an important lesson here:

No technology, technique, service provider, or employee is infallible.

We must implement defenses in layers – commonly referred to as “defense in depth” assuming the failure of one or more defenses.   We must always “trust but verify” even our most trustworthy suppliers/technology providers/employees.  Things change.  Risks and Threats are not constant.  The effectiveness of most countermeasures decreases over time as the bad guys have time to analyze them.

Most importantly, we must expect and prepare for security breaches and have a containment plan in place to limit the damage.  Good response plans include technical, administrative, legal, and PR dimensions, all synchronized with the organization’s business, regulatory, and ethical objectives.