Shostack + Friends Blog Archive

 

Naming names isn't always bad

In a comment to an earlier blog entry concerning a ‘he who must not be named’ policy for card processors and others who get breached , optionsScalper asks “given Adam’s recent series on “Disclosure” (at least five posts back to the BofA post on 1/21/2006), how do you (or Adam) assess the disclosure in this case?”
My answer is that I think the disclosure optionsScalper refers to, which involved Regions Bank customers, but where the breach was reportedly at a processor rather than at Regions Bank, is insufficient. It is high time that names be named.
I also think this incident is related, at least conceptually, to a breach involving BofA debit cards reported by the San Francisco Chronicle here and here, also strongly implying that Wells Fargo account holders were involved as well.
The upshot is that a major big-box retailer (see report here [link to http://news.zdnet.com/2100-1009_22-6038287.html no longer works]) got hit, and now not only BofA, but also Washington Mutual are taking action to protect account holders. Of course, neither is saying anything about which retailer was hit, just like Nations Regions Bank [“I regret the error” – cw] didn’t do any talking.
The ZDnet article above reports Visa as not naming names because there’s an ongoing investigation. In another breach, this time reportedly involving Sam’s Club, it was Visa and MasterCard not naming names (and being criticized for it by the notoriously anti-capitalist American Banker — excerpt here).
It’s time for reporters to start asking the FBI and the Secret Service whether they feel that merely identifying the retailer would compromise the investigation.
More (and more cogent) thoughts about this situation will be forthcoming, but I wanted to at least get this much out.
A quick aside to optionsScalper, since you mentioned a firm’s duty to shareholders: when it comes to thinking about breach notices, I think about the efficient markets hypothesis, and whether investors might rationally think that failure to protect data might impact future profitability.
Along those lines, tt might be interesting to see which big-box retailer’s insiders are selling right now, if we only could.