Shostack + Friends Blog Archive


Ed Moyle on "MasterCard Lays Down the Law"

In a bold move, MasterCard lays down the law on CardSystems. And by “lay down the law”, I mean they upped the ante from recommending they comply with security procedures to “putting them on notice” to comply. Um…. Is it me, or does that sound like the same thing to you? If the only ramifications from MasterCard is in the vein of finger wagging, it shouldn’t be surprising that CardSystems would fail to take the regulations seriously. I’m concerned – this foolishness at CardSystems was the biggest loss of financial account data ever and MasterCard’s reaction was to “put them on notice”? What do you have to do before they take any stronger action?

“Stop! Or I’ll say stop again!”

Read “MasterCard Lays Down the Law” at the comment-free, trackback-free, spam-free SecurityCurve. (I’ve asked a very similar question in “What Do You Need To Do To Get Fined?“)

2 comments on "Ed Moyle on "MasterCard Lays Down the Law""

  • Has anyone seen data or analyst estimates on Mastercard’s expected loss in this matter? While I believe that the presence of so much data leakage in such a short sample space points to bad incentives in place, I have to wonder what’s going on here. If mastercard isn’t treating this as a big deal, does that mean that their books already take into account this sort of risk? Does this imply that they knew this sort of thing was happening a lot?
    I think it’s time for some men in suits to start asking some corporate officers “what did you know, and when did you know it?”

  • Ed says:

    I agree with the “men in dark suits” approach. I’m amazed at the whirlwind of incompetence going on over at CardSystems. For instance, check out this choice commentary from the Ireland Business Review:
    CardSystems’ chief financial officer, Michael A Brady, said his company was “blindsided” by the MasterCard release, adding that his company was told by the FBI not to release any information to the public. FBI spokeswoman Deb McCarley said they did ask CardSystems to not release details that might compromise the investigation – but denied asking the company not to disclose that the intrusion occurred.
    “I’m not sure where they got that impression. It’s important for the public to be warned so card holders can be more careful while checking their statements.”
    So CardSystems is telling one story, the FBI another… And where are they getting the .4% metric from? 40 Million account #’s divulged, 68,000 at high risk? I don’t think they can get away with that kind of number without a justification. The whole thing ticks me off.

Comments are closed.