Data Breach Double Talk Spin?

Posted on March 3, 2009 by Tom Mahoney

On the heels of the Heartland breach came news of a similar breach at another unnamed processor/acquirer. Then came a lot of speculation in the blogs, the on-line trade journals and the media. Now Visa is denying that there’s anything new. I’ve been wrong before, but I’m not buying into all this. Here’s why.

The first reports of a new breach were on the banking and processing industry web sites. We were told that it was a big breach. The speculation was that it had gone on for months – probably since January of 2008. We were told that no track data was breached so the cards couldn’t be cloned. We were told that it had nothing to do with the Heartland dat breach or the RBS breach. These reports were based on Visa’s own CAMS (Compromised Account Management System) alert with a new number. The new number historically signified a previously unreported incident. In other words – everything pointed to a previously unreported incident. The only thing we weren’t being told was how many accounts were affected and who the breached entity was.

Now Visa is trying to tell us that no, this isn’t a new breach. Visa’s official statement reads, in part,

The recent alerts Visa sent to card issuers were part of an existing investigation and are not related to a new compromise event … As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor. It is important to note that this event is not related to the Heartland Payment Systems breach.

Let’s think about this. All evidence points to a new breach. Then Visa releases a statement designed to deny the new breach ever happened. The problem is that the statement doesn’t hold up against the evidence. In fact, the statement contradicts itself.

Sure, the information sent to the issuers was “part of an existing investigation.” We’d expect them to be investigating if they know about it. And if they know about it and have been investigating it, then it isn’t “a new compromise event” in their eyes. But if Visa isn’t releasing the name of the breached entity because the entity hasn’t disclosed, then it is, in fact a new breach as far as the public is concerned.

Is this that hard to understand? No new breach my ear lobe.

Comments are open. What do you think?

Similar Posts:

About Tom Mahoney

Tom Mahoney is the Founder and Director of Merchant911, a site dedicated to helping e-commerce merchants.
This entry was posted in credit card fraud, Data Breach, fraud and tagged , . Bookmark the permalink.
Post comment as
twitter logo facebook logo
Sort: Newest | Oldest
Ken H

Could it be an existing breach that was not fully discovered or disclosed?

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
Chris B

In my humble opinion, this sounds like the rhetoric that is splashed around the industry on almost a daily basis. Let us be clear, as usual, big business is going to not follow responsible practices, such as informing the public about breaches as soon as they are found. It is up to organizations like Merchant 911 to inform us wee individuals, as we are NO Visa, Mastercard, or Citi Bank. I see this as fuel for future congressional investigation, and hopefully someday, policy change.

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
Art Glick

Do they think we have "stupid" stamped on our foreheads.

How can it not be a new breach if the entity has yet to disclose?

They must think we're as dimwitted as they are!

The feeblemindedness of the entire global banking industry worries me greatly!

Or, maybe they're just all insane. Einstein defined madness as doing the same thing over again and expecting a different result.

share
  • spam
  • offensive
  • disagree
  • off topic
 Like