In what appears to be a reaction to an article by Kim Zettner of Wired, “Clues to Massive Hacks Hidden in Plain Sight,” the folks at Sûnnet Beskerming posted, “A Data Breach In The Tea Leaves, Or Tilting At Windmills?” today. They write, in part:
Increased frequency of reports of small to medium numbers of credit and debit cards being reissued at seemingly-unrelated institutions are just some of the clues that have led people to consider that a major breach disclosure is set to take place in the near future.
A risk of this sort of approach, and it is one that the Intelligence community faces, is that it is possible to read too much into the information that has been collected and analysts end up jumping at shadows.
Most of their comments appears to be in responses to statements by the Open Security Foundation, so I’ll just comment generally. Of course it is possible to incorrectly link or ascribe disparate breach reports — particularly when there may be errors in reporting such as spokespeople saying that they had been informed that the breach involved a merchant.
As to the second breach or potential breach that OSF discussed on February 13 and February 22nd: in light of the statements by Visa and MasterCard and a statement by the NYS Consumer Protection Board that it is already receiving notifications by entities affected by a breach related to the new reports, there are a few possibilities, including:
1. There has been another breach involving a processor not already identified as having had a breach, or
2. A processor that had previously reported a breach discovered that the breach was bigger or worse than originally reported (as happened to RBS Worldpay).
So is there a “new” breach as OSF’s commentary and other media reports would seem to suggest, or are there just new breach reports about an already-identified breach? Or is it some third possibility?
I’m not yet convinced from the information available that it really is a new breach in the sense of a processor not previously identified as having had a breach. Look again at Visa’s and MasterCard’s confirmation emails to Computerworld. They are not actually saying that there is a new breach in the sense of a new processor that we didn’t know about already. Nor are the credit union reports saying that they were told that this is a new processor. They are reporting that Visa and MasterCard became aware of a compromise that is new (in the sense of not previously detected?).
While it can be fun or challenging to speculate, this site remains cognizant that businesses have reputations and playing the “I think it could be X” game can do reputational harm. Hopefully, the processor being referred to in the newest alerts will disclose what’s going on. On some level, it would be a bit of a relief if this was just new information on a breach we already knew about. If that is the case, it may be embarrassing for a processor to find itself back in the negative news, but they would still better off disclosing and getting ahead of the story than to wait and risk some employee leaking the story or some privacy advocate who gets testy about nondisclosure filing under FOIL with state and federal offices to find out what happened. And if, as OSF seems to suggest, it is a breach at yet another processor, then it’s even more important that they disclose so that we gain a better understanding of the extent to which the financial sector has already been hit.
In the meantime, I’ll leave tea leaves to others. My drink has always been coffee.