During a week seemingly filled with firsts (including my first post to this blog) and historical significance, a footnote to the inauguration is being billed as "THE BIGGEST BREACH EVER!" As the Heartland Payment Systems breach is making headlines and tearing up the blogs (read the notice here and analysis here: Heartland data breach could be bigger than TJX's ), I am left with the realization that despite the best of intentions, the rampant speculation and headline grabbing of the security industry is counterproductive and even harmful to the larger cause of changing the way people protect information.
In my recent book, Into the Breach , I asked -- and answered -- "What happens when breach is only a symptom (of a larger, more complex problem)?" The book lays forth a plan and foundation for changing the way that people protect information. The breach disclosure from Heartland provides more evidence that breaches are symptoms; focus must be placed on understanding and addressing root causes.
At this point, real details are few and far between. We need to learn more before we can determine a path forward. Here are three reasons this is not something to talk about today:
1 - Size doesn't matter
The age-old debate of size rears its ugly head again. In this case, the potential size of this breach is so large that it cannot be fathomed. It is no secret the human brain stumbles over big numbers. To most people, the difference between 30 million and 45 million is moot. And now, thanks to billions - and even trillions - in "bailouts" around the world, the sheer scale of such astronomical numbers feels more like fantasy than reality. While it is possible to construct a metaphor that brings the scale down to a manageable size, that exercise misses the point.
The real issue at hand is whether individual consumers will be affected -- or not - by this breach. Those affected need to act. For the merchant banks and credit card companies, this is more significant. For them, size does matter.
2 - Stop crying "wolf"
Compromise of credit card data is not necessarily identity theft. It is irresponsible to equate breaches of credit card data with identity theft. The more breaches are reported as "crises" where the average person sees and feels little, if any, impact, the less likely they are to care about future breaches. The more we lament the situation, the more disconnected people grow. When we actually need them to act, we have lost our credibility.
The Heartland disclosure suggests no personal information that could lead to identity theft was compromised. Unless further analysis reveals additional details, there is little actual risk to the consumer. Since the breach was disclosed, I have yet to see an impact on my business or life. Makes it difficult, then, to convince others this is something that affects them - with a clear call to action.
3 - Speculation leads to dangerous consequences
Breaches are symptoms. Without complete details - the specific and accurate picture of what happened -- the balance really doesn't matter. The speculation as to the cause and what should happen do little to advance the practice of security. This is the time for established processes to function. Take two modern examples: TJX and Card Systems.
In both cases, the companies failed to protect the credit card information for which they were entrusted. Card Systems lost their ability to process credit cards, leading to the sale and eventual demise of the company. At the other extreme is TJX, a company that paid hefty fines and settled several lawsuits and continues to operate today. As the nature of this failure is known - if only in limited circles - decisions will be made and Heartland will experience the consequences of their actions (or inactions, as the case may be).