Tuesday, June 21, 2005

MasterCard says security breach exposed 40 million to fraud - It's time to make gatekeepers liable for failure to keep a secure system?

It was reported today that as a result of a security breach at a processor used by MasterCard International - more than 40 million customemay be exposed to fraud.

Identity theft is a major problem for both individuals and institutions and has to be carefully prevented. But with this recent and largest security breacy of customer data of Mastercard accounts, the negative impact can affect many millions. The breach of security was discovered at Mastercard's Arizona-based CardSystems Solutions, a third-party processor of payment card data used by MasterCard. Mastercard reported that the breach was the work of an "unauthorised individual" that unlawfully entered the network. No other details was released. Mastercard also reported that they are now undertaking action to prevent further such breaches. In the same report by Channelnewsasia, there had been several banks and financial institutions that had been victims of attack that resulted in the loss of sensitive customer data.

Unfortunately the development of new security technologies will almost never keep up or keep out the criminals who are adept at using technology to break into the information vaults of financial institutions. The law in itself - while can be draconian even to cyber criminals do not in themselves protect the individual or provide any recourse whose information is lost.

This status begs these questions - where will the future of online commerce be in a few years if no one is made liable for the loss of sensitive information? Should personal banking information lost to hackers be grounds for customer to take action? If so, what would be the right measure of loss? Any jurisdiction with a reputable banking industry must have some form of banking secrecy provisions regarding customer data. The loss of such information has consequences. Consequently, when hackers who successfully steal information (supposedly well protected) from banks - should the banks be held liable?

To make the situation more tenous - will the banks honestly report that their systems had been compromised? Unlikely. The security breach here was reported by Mastercard of their own breach. I am sceptical that any bank would do the same. Should banks be compelled to disclose? What would be the impact be for the bank, industry, economy or nation?

While these questions appear to be far fetched, I suspect its very near the horizon that governments and banks need to address these issues. Technology in itself is not a solution of the security risk. Redistribution of risk and liability is the question. I will be looking forward to see how creative we can be in resolving this growing mess.

MasterCard says security breach exposed 40 million to fraud - Report from Channelnewsasia.com
Site Meter