February 24th, 2006
FTC slaps CardSystems
Add another one to the list that the FTC has slapped with onerous requirements for undergoing security audits for the next 20 years. Previously, both BJ Wholesale and ChoicePoint suffered the ire of the FTC for inadequate security over customer data. Now it is CardSystems.
It seems a little late for action because CardSystems went out of business after their devastating breach. Their assets have been purchased by Pay-by-Touch a transaction processor in California. The first case of a company closing its doors thanks to poor security (that I know of). Note this from the article:
According to evidence gathered in a California case, the hacker was able to grab enough account information to defraud at least 264,000 customers.
I am not sure if that means 264,000 credit cards were lost or actually used to steal money.
While I applaud the FTC for actions that are going to raise the awareness of security risks among retailers and bankers I am becoming concerned that if they continue to prosecute these cases they will have to develop a huge security auditing practice. Does that fit their mission?
Richard Stiennon is an industry consultant. See his full profile and disclosure of his industry affiliations.
