Earlier this week American Express notified customers of a potential breach involving theft of account numbers, user names, and “some other” account information—most of the juicy ingredients necessary for fraud. The company was quick to mention that it is monitoring for fraud, but it was even quicker to deny responsibility for the incident.
“We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system. Account information of some of our Card Members, including some of your account information, may have been involved,” wrote American Express Chief Privacy Officer Stefanie Ash. “It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.” Furthermore, the notification was issued a mere three years after the incident occurred.
I’ve been listening to your reasoning, it makes no sense at all
Why the delay? No one knows for sure. Ash did not address “why” in her letter, and AmEx’s PR team is remaining mum. Looking at the timeframe, it’s curious to note that the mega retail breaches of Target, Neiman Marcus, and Michaels all occurred around the same time, and all of those companies came clean rapidly. While they each experienced a short-term dip in stock price and customer loyalty (and undoubtedly some hefty cleanup and legal fees), all three companies are alive and kicking today. Earlier retail breaches, like TJX, for instance, have proven that customers don’t hold on to hard feelings for too long, so it makes very little sense that American Express would try to hide the breach (unless they didn’t know until now, which would be awfully troubling).
Companies should take breaches and other security incidents very seriously. Best efforts at defending networks, data, and applications should always be made. Controls, policies, and technologies used in these efforts should be reviewed and adapted regularly to ensure the most up-to-date and applicable defense mechanisms are in place. Doing so, however, doesn’t mean a company can’t or won’t be breached. Disheartening as it is, a motivated attacker will find his way into systems; no house is impenetrable.
This doesn’t mean that security professionals—we, the defenders—should throw up their hands and cry “I give up!” It does mean, though, that if a breach occurs and customers were or might have been affected—and best efforts were truly made to not only keep attackers out but to also limit access to data by segregating it, encrypting it, etc.—the breached organization should not be afraid of transparency. Trust between customer and provider are critical.
George Gerchow, Director, Security & Compliance at Sumo Logic, agrees, “Everyone is vulnerable and a potential target for a breach; it is the world we live in today. Having a clearly defined way to detect those breaches and respond appropriately is only a small part of the picture. Communicating the issue to those who have potentially been affected is everything."
We’ve already seen that a breach, in and of itself, only momentarily breaks that trust, so it just does not make sense to add insult to injury and conceal the breach.
To be a true player, have to know how to play
Failure to declare the breach is nonsensical, but the more concerning part is American Express’s outright denial of any responsibility. Many successful breaches are detected by third-parties. This is not uncommon. While a breach is never a good scenario—and the above section should not be misconstrued to mean that it’s OK to have a breach or that some companies are not permanently crippled by one—AmEx did, in fact, have a part in the breach. For one thing, it’s AmEx’s data that was stolen. They shared data entrusted to them with a third party, whom card holders likely don’t know. A thorough and regular vetting process should be in place whenever sensitive data is shared between parties. Even though AmEx can’t force another organization to implement any policy or control, it can review them with the third party to make sure they meet America Express’s standards. If the standards are not met (or the third party won’t allow a review), perhaps it’s time to dissolve the relationship.
In addition, even though “American Express owned or controlled systems were not compromised by this incident,” our highly, highly interconnected ecosystem means that organizations have to think about that whole ecosystem. Saying, “wasn’t me,” is kind of like a driver causing a car accident because she was texting, but denying responsibility because the car in front slowed down without warning.
Yes, this makes security teams’ jobs harder. An organization can’t be only responsibility for its own systems, but must have some visibility into partner systems. Isn’t this why security professionals, for a very long time, had trouble accepting cloud technologies? This is the world we live in now, and organizations need to partner to provide world-class services; vendors need to integrate with other organizations. Even if, in the case of the AmEx breach, the third party was a point of sale merchant or the encryption software or a cloud storage provider, it’s still American Express’s customers who were impacted and the company should be saying a mea culpa. Whomever the merchant, AmEx chose to play in that sandbox, and pointing out that American Express owned systems weren’t the cause doesn’t make the scenario better for affected customers. It does, however, make American Express look a little sketchy.
You better change your specs
A breach is a good time for a change in processes. After their incidents, Home Depot and Target were some of the first to update and change out hardware to make POS data theft more difficult. Again, though, these companies immediately accepted and took responsibility for the problem, so it made sense that resultant actions to increase security measures occurred. We can only hope that AmEx will also step up.
Even if its customers didn’t experience data or identity theft from this incident (which we will likely never know), one can only hope that American Express takes this as an opportunity to improve security practices and policies.
