Discover Financial Services has filed a data breach incident notification with the California attorney general’s office that some of its cardholders maybe have had their account information compromised.
Discover supplied few details in its Jan. 25 filing and cannot even tell its customers exactly what information may have been exposed, but it did specifically state the breach did not directly involve any Discover card systems. The company stated the breach was spotted on Aug. 13, 2018.
The company is issuing new cards as a precaution and is asking cardholders to keep an eye on their account for any fraudulent activity. Discover also consoled anyone so affected saying they will not be responsible for illegal charges made to their cards and to not contact any merchants listed about these purchases.
"To be clear, Discover was not breached. Other outlets are indicating as such without checking with us. We’re just trying to keep the discrepancy clear," Jon W. Drummond, Discover's director, external relations/media relations told SC Media.
Drummond added, that this is a routine filing required by the state of California whenever any company doing business in that state responds to a cybersecurity incident involving more than 500 residents.
This incident was met with a mix of annoyance and hope by industry execs that some current and upcoming legislation, along with a few technical changes, can offer some relief to consumers in the future.
“New legislation, such as the EU’s GDPR, the pending California Data Privacy coming into force in 2020, and the new national bill proposed by Marco Rubio, the American Data Dissemination Act, create a regulatory barrier only met by the end-to-end use of encryption within these financial systems. You must ensure that your data is encrypted, both in the database, and in transit (middleware, API, etc.) and in use. Similarly, your business partners must be held to the new standards you require internally,” said Anthony James, chief strategy officer at CipherCloud.
Felix Rosbach, product manager at comforte AG, told SC Media companies handling payment information have to institute a wide range of features to ensure the safety of their customer’s data.
“It’s crucial to protect sensitive data over the entire data lifecycle – from the POS device to processing to backup. Implementing data centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary, is the only way forward,” he said.
Rosbach also suggested all data should be pseudonymized with merchants and issuers only using tokens instead of clear text data to process payments and store sensitive data. That way if the payment information is compromised it’s useless.