Brandon Scott reports that authorities have now named the source of a rash of card fraud reports in Huntsville, Texas. But what may be most significant about the news report is its focus on how law enforcement decided whether to – or when – reveal the point of compromise:
… Huntsville Police Department, Walker County Sheriff’s Office, University Police Department and the U. S. Secret Service worked together to determine the source of the thefts of debit and credit card numbers by virus-infected computers at Margarita’s Mexican Restaurant.
Margarita’s was hit by a type of “skimming,” in which credit card numbers are stolen before they can be encrypted by the restaurant’s point of sale system.
Skimming debit and credit cards numbers can occur many ways, remotely by computer hacking or on-site by a device placed on a computer, authorities said.
Residents began alerting the police to the problem almost three weeks ago, and a large jump in reported cases occurred about two weeks ago. Victims are still bringing cases to authorities as they find evidence in their bank and credit card statements.
At some point in the investigation, authorities knew most of the cases were connected to computers at Margarita’s, but they said they were reluctant to release the business’s name to the public for fear of retribution against the restaurant.
“We had determined it was Margarita’s, but it wasn’t necessarily something they had done,” said Huntsville Police Department Lt. Curt Landrum. “This was not one of their employees or a situation where someone who was directly affiliated with Margarita’s was selling information. We were seeing they had done the things they should do to prevent this. We were afraid that it would hurt their business.”
Once it became clear that the credit card numbers had been sold by thieves in a batches on an underground market but not yet used by thieves, investigators decided the threat to the public took precedence over the threat to Margarita’s.
Read more on the Huntsville Item.
Should law enforcement be withholding information like point of compromise for fear of hurting a business? Law enforcement may take the position that it’s not their place to notify the public and that it’s on the entity to disclose the information, but there’s something that doesn’t sit right about this approach. Doesn’t law enforcement work for us and not for the business? I wouldn’t mind if they tell an entity, “Look, we’ll give you today to get a press release or notice out to the media or on your web site or store door, but after that, we will disclose if you haven’t.” But that doesn’t seem to be what happened here. In this case, law enforcement decided that the risk to consumers outweighed other concerns. But if it hadn’t….. then what?
The banks cancel cards and don’t tell us where a breach occurred – often because they’re not told, either.
Law enforcement may not tell us where a breach occurred.
Breached entities may not tell us when they’ve been breached.
This is really unacceptable.
And no, there’s no notice on Margarita’s web site about the breach as of the time of this posting.
Update of July 24: The Huntsville Item has an editorial and apology on its site for its decision not to report the name of the business sooner.
They – and local law enforcement there, it seems – still don’t seem to get that even if a business is a victim of a cybercrime, ultimately, it is the consumers who are victims and first and foremost, they must be informed so that they can protect themselves. They must also be informed so they can make informed choices about with whom to do business.
Maybe if so many security firms stopped sounding empirically unsupported dire warnings about churn and loss of business, breached entities would feel less fear about disclosing breaches. But even if they do experience fear or some short-term loss of business, if they failed to protect consumer information, they need to step up to the plate and get the word out. They might be pleasantly surprised to find that many customers will understand and will actually commiserate with them.
Local businesses are vital to our communities. But protecting their reputation and business at the expense of the public turns law enforcement into a public relations arm of the business instead of having them remaining public servants. Withholding disclosure until a point of compromise is confirmed seems reasonable. But after that, disclose, disclose, disclose!
Update 2: Law enforcement officials seem to be suggesting that the hack was not of Margarita’s but of their payment processor or acquirer. If that was the case, then the payment processor or acquirer needs to be named and I would guess that card issuers would have already figured out who that is. Even if the breach was at a payment processor’s or acquirer’s, though, Margarita’s customers should be informed that if they used their card there, they were/are at risk.
Law enforcement doesn’t withhold the streets on which muggings, rapes or murders occur. Nor do they withhold the names of arrested suspects, on the grounds that they might be innocent.
We as a society need to deal with the question of retribution against businesses. Police can and should state what they know, and even their opinions. In a free society, they should not withhold information.
Agreed.
And I need to go back and check, but my impression is that under Rep. Mary Bono Mack’s proposed breach notification law, the restaurant wouldn’t even have to notify individuals if only the card number (but no name) was captured. So we’d continue to have a slew of restaurant hacks involving card numbers, and they’d have to notify law enforcement/govt, but not consumers? We shouldn’t be the only ones in the dark.