June 18, MasterCard blamed a vendor of ALL credit card providers called CardSystems Solutions, Inc., a third-party processor of payment card data, as source of loss of 40 million consumers credit card information.
As is pointed out by several newspaper and web articles over last few weeks, each recapping long lists of financial information data breaches, something's gotta give before we entirely lose trust in financial institutions, data brokers and credit bureaus. How much privacy loss can we take without acting?
These types of data loss were very likely common and have very probably been going on for a very long time. The difference is that now, THEY ARE REQUIRED BY LAW TO DISCLOSE THOSE LOSSES - not just in California, but in many states. National disclosure laws on data security breaches are being considered in Congress.
I suggest that these breaches of data security all came to light due to California law requiring disclosure from companies suffering hacking loss or leaks or social engineering or crooked employees or organized crime rings posing as "legitimate" customers. All of above have been given as reasons for security lapses or poor security policies.
About three years ago, a friend told me his paycheck deposit to Bank of America went missing from account records after he took his check to bank on Friday. By Monday, Bank of America was in news claiming a computer glitch had disappeared entire day's deposits. I mumbled to myself, "I'll bet that was a hack and that hacker just made a huge offshore banking deposit with B of A depositors' money."
But we didn't find out why it happened in that particular case because there was no disclosure law in place at time. Now we have disclosure laws that mandate notice of security breaches. Now suddenly - huge financial services hacks and devious criminal social engineering outfits posing as legitimate customers and apparently "innocent" losses by transport companies of backup tapes begin to come to light.
This spate of data loss incidents is proof of need for corporate "sunshine laws" that make public notice mandatory of those data losses that threaten customer information.
Who is going to lose here - public, corporations, criminals, or government? I'd prefer that bad guys get shaft and take down crooked company insiders that either facilitate data loss by underfunding security and encryption or participate in data theft or loss in any form - even if that participation is security negligence.
Financial companies and data brokers have been covering up losses and keeping quiet about hacks so as not to worry or frighten their customers. But that practice is essentially ended now that they must notify public and disclose those losses instead of hushing them up.
Keeping breaches hidden from public view is bad practice as it maintains status quo. Disclosure will facilitate internal corporate lockdowns on data and all access to it. Disclosure will educate public to lack of security and danger to sensitive information we all provide rather casually and routinely to businesses.