Global Payments’ security FAIL compounded by transparency FAIL?

A data breach doesn’t necessarily have to be fatal to a business but there are entities that seem to shoot themselves in the foot when it comes to breach response. Did Global Payments suffer self-inflicted public relations injury this past week when they didn’t get ahead of the story? And how will their failure to directly address swirling rumors about a larger brach affect investors?

Chronology

On March 23, CUSO started receiving notifications of a data breach. But Global Payments, Inc.  (stock symbol: GPN) did not publicly disclose or acknowledge any breach until March 30 – one week later – after Brian Krebs broke the story of a breach at an unnamed credit card processor.  Although Brian didn’t name Global, The Wall Street Journal did later that day.  It was only after the media storm over a possibly “massive” breach had started that GPN went public.  By then, stock prices had tumbled over 9% before trading was halted. Estimates of the number of customers affected varied wildly in news reports that day between 50,000 and 10 million.

On Saturday, the New York Times repeated reports first made on Friday that the GPN breach occurred between late January to late February, 2012 and that it included both Track 1 and Track 2 data.  Neither of those points had been addressed in GPN’s press release on Friday. Significantly, NYT also reported that this was not Global Payment’s first breach:

This is the second breach at Global Payments in the last 12 months, according to two individuals briefed on the investigations who spoke on condition of anonymity because they were not authorized to speak publicly.

Two individuals who had been briefed on the investigation were both saying they had been told this was Global’s second breach? Surely, then, GPN would be in possession of such information or be in  a position to respond to that claim. On Sunday night, GPN issued an updated statement that said, in part:

The statement did not address claims that this were their second breach and did not disclose when the breach occurred. Nor did the statement address other reports that the breach may have involved NYC taxis and parking garages as well as a Dominican criminal gang.

And did they have no breach management firm on board to advise them to control the story before some details – like removal from Visa’s approved list – were revealed by others? Removal from Visa’s approved list is Visa’s standard operating procedure in such cases. GPN could have presented it as such instead of letting the media reveal it in screaming headlines.

A “Data Breach Conference Call” Doesn’t Take a Single Question from Breach Reporters?

On Monday morning, GPN held a conference call (webcast) that was supposed to address the data breach. The questions they took were from analysts or about financials. Not one regular security or breach reporter got to ask a question. I didn’t bother getting in the queue to ask questions because I figured Brian Krebs, Kim Zetter or one of a number of other well-known security reporters or bloggers would ask what I wanted to know.  But GPN did not take any questions from any of those who were on the call to really discuss the data breach. Not one hard question about the breach got asked or answered. Not one. I posted a brief recap of the call yesterday in Update 2.

The conference call did nothing to stop the rumor mill because GPN never took serious questions on the actual breach. Brian has information from hackers that needs to be either refuted or investigated.  The NYT also has sources with disturbing information.  None of that was aired or addressed.

Nor did Global’s CEO Paul Garcia explain why PSCU reportedly stated there had already been 876 cases of fraud . He claimed  they were not aware of any fraud associated with the breached card numbers.  Are they not aware because they haven’t asked for such data or are they suggesting the report of PSCU’s statement was incorrect?  No breach reporter got to put that question to them, either, even though Gartner analyst Avivah Litan had already said she had reports of misuse and that the breach was “mushrooming.”

GPN also didn’t address whether they had been storing Track data (which would be a PCI violation) or if the data were being exfiltrated in real-time  – because no breach reporter got to ask them that question.

And they didn’t address why they continued to process transactions once they became aware of a breach in early March. As Brian tweeted after the call, how many more transactions did they process (alternatively, how many more customers were put at risk) during the period between discovery and containment?

Analysts have one set of questions. Breach reporters have very different questions.  Global Payments wasted our time yesterday morning with its faux conference call on the data breach. They now owe me one hour of sleep.

GPN’s stock fell another 3% in yesterday’s trading and the rumors that continue to swirl will likely make investors nervous as they gain more media coverage.

Perhaps GPN should consider scheduling a real conference call on the data breach where those who report on breaches actually get to ask the questions. Or if they would care to submit a statement to DataBreaches.net that addresses these questions, I’ll post their answers although such answers generally tend to be non-responsive  and raise more questions than they answer.

How about some greater transparency, GPN? Or would you prefer to continue to self-inflict public relations harm and leave investors wondering about all the questions you haven’t yet really answered?