Shostack + Friends Blog Archive


CardSystems and Choicepoint

Choicepoint, please call your trademark attorneys. You’re in danger of becoming a generic term for “massive security breach,” and a band-aid isn’t going to fix that.

That was the lead (and about all I’d written) of a long post on Choicepoint and some bank breach. I think it was the New Jersey case. The point of the article was going to be how people know that their banks could make mistakes, and that a bank mistake wouldn’t ever be as upsetting as the Choicepoint error. But now, CardSystems Solutions has done what no bank could do. They’re taking attention away from Choicepoint, and they’re going to take more, for a while. I’d like to explain why I think this.

Firstly, this one is big. As in ten times larger than the previous record. JW mentioned to me that 40m could reasonably be expressed as a percentage of Mastercards issued. (Actually, it was 20m Mastercards, which is just short of 3% of the 698m Mastercards issued.)

Second, like Choicepoint, you have no choice about doing business with Cardsystems. You didn’t know they existed before you heard your credit card was in the hands of Russian thieves.

Third, because what was stolen was credit card data, rather than SSNs, its short lived, and the folks who have it are already under huge pressure to flip the data as many times as they can, as quickly as they can, along with the blame and the legal pressure. That means that most of the impact is going to be on credit card statements this month and next. That compression has an upside, which is no life of fear for the victims, and a downside, which is that Congress is going to be under enormous pressure to pass a law. That’s a downside because Congress legislates in haste, while we all repent at leisure.

Fourth, Cardsystems flubbed their public relations. Their story was inconsistent and confusing. Basic company facts were confused. (Are they headquartered in Tuscon, AZ, Tucson, AZ, or Atlanta, GA? Major media outlets were contradicting each other.) AZCentral tells us:

Actually, the company appears to be headquartered in suburban Atlanta, but has its processing center in Tucson. Or maybe it’s based in Tucson in the winter when executives want to play golf. It handles $15 billion in payments every year.

Finally, they violated their contract with the card providers (by storing CCVs), their CEO offered a confused story about “research purposes.” (In “Lost Credit Data Improperly Kept, Company Admits,” in the New York Times.)