Case Analysis: Global Payments Breach

Table of limit Executive succinct3 Company Background3 Security Breach3 Cost of Security Breach3 close together(predicate) olfactory modality at Control Issues4 go to mitigate info dishonour4 Conclusion6 References6 Executive Summary A info breach at a credit broadside payments processing firm globose Payments potentially impacted 1. 5 one thousand thousand credit and debit posting numbers racket from major card brands Visa, secureCard, get wind and American Express (money. cnn. com) in April 2012. Company Background Founded in 1967, Global Payments (NYSEGPN) is one of the largest electronic transaction processing family based break through of Atlanta, GA and operations in several European and APAC regions.The keep company provides business-to-business card payment and processing solutions for major card issuers much(prenominal) as Visa, mortify Card, Amex and Discover. The company also performs terminal management and electronic guarantee conversion. Security Brea ch Exactly a year ago, in touch 2012 the company was hit by a massive hostage breach of its credit card payment processing servers impacting more than 1. 5 million clients (nytimes. com). The company reported unauthorized access to its processing system resulting in info transfer of 1,500,000 card numbers.According to the company report, entropy stolen includes name, social gage number and the business bank account designated for payment processing or deposit services. As a result of unauthorized access to the companys servers millions of customer confidential records got exported. Cost of Security Breach epoch this data breach is not the largest of the strips, Global Payments data breach saturnine out to be a $93. 9 million deal concord to the companys Jan 8th 2013 quarterly report (bankinfo gage. com). This is mainly worn-out(a) in enhancing security and arrest compliance with Payment Card constancy Data Security standard.The company hired a qualified security assess or (QSA) that conducted an independent review of the PCI-DSS compliance of Global Payments systems and advised many another(prenominal) remediation bills for its systems and processes. The company also paid fines related to non-compliance and has reached to an discernment with several card networks. The majority of the expenses, $60 million were originated out of lord fees while $35. 9 million was estimated to be fraud losses, fines and other charges compel by credit and debit card networks.However the company received $2 million in insurance recoveries. There could be additional expenses of $25 to $35 million in reminder of 2013 due to investigation, remediation and PCI compliance. Closer Look at Control Issues While the company would like to moderate finer details of the investigation a closer look into this miscue make headwayly reveals a fraud triangle of pressure, rationalization and opportunity. It is superiorly liable(predicate) that an insider played a major role i n exposing security vulnerabilities of the companys in arrangeion technology systems and lack of appropriate monitoring mechanisms.Lack of proper internal controls resulted in the insider making use of the opportunity to commit fraud. The case clearly indicates that either system monitoring mechanism was inadequate and could not prevent the data thief to get access to PCI data. It is not clear whether naughty level data encryption was implemented for personal data such as social security numbers and bank accounts. Steps to mitigate data breach A number of precautionary and data protection measures should be taken to ensure PCI compliance and prevent such a massive data theft (sans. rg). 1. Establish multiple levels of data security specifically for personal information such as customer account numbers, social security numbers, customer addresses, phone numbers and so forth , This includes creating authorization algorithms and every data retrieval gets logged and reported. 2. The d ata should be encrypted by utilizing best of data encryption methodologies to protect both data at rest and in transit. Data at rest is the information residing in database and file servers and even in personal computers. On the ther hand, data in transit refers to data moving across local and wide theater networks. 3. Identifying all the sensitive data that needs encryption is the first step in protecting data based on the data potpourri policies. 4. Locate data at rest and data in enquiry and then apply techniques such as eradication i. e. removal of surplus data lying in file systems or personal PCs obfuscation of data to ensure it is not in readily readable format and at last encrypt by employing industry standard data encryption techniques. 5. Follow PCI-DSS requirements for financial data . PIN blocks, CVV2 and CVC2 card verification data cannot be stored at any time. b. All sensitive information mustiness be encrypted during transmission over networks that are main tar gets for hackers. c. Ensure that security related technology is resistant to tampering and do not confess any security related documentation. d. Ensure sound and practical policies rough data generation, updates, deletion, storage and archival of cryptographic keys e. Ensure that data commute is conducted over a trusted path that follows high controls and confirms to authenticity of content.Conclusion The numbers of cyber threats are increasing at an alarming level and a itty-bitty overlook on companys behalf is enough for hackers to steal confidential data and put consumers at risk. In todays high tech world of information technology customers information is at high risk of breach and any company both private or public involved in dealing with financial data has to ensure highest level of regulatory compliance to protect consumers interest, maintain their trust and finally run as an ongoing concern References 1.Jessica Silver-Greenburg, Nelson D Schwartz (March 30 2012). Master Card and Visa Investigate Data Breach New York Times. Retrieved 2013-03-17. 2. knowledge Security Group (January 10 2013). Global Payments Breach Tab $94 million. www. bankofsecurity. com. Retrieved 2013-03-17. 3. Julianne Pepitone (April 3 2012). 1. 5 million Card numbers at risk from hack. www. money. cnn. com. Retrieved 2013-03-17 4. Dave Shackleford (November 2007). Regulations and Standards Where Encryption Applies. www. sans. org/reading/analyst_program/encryption_Nov07. pdf