Incident Response to Data Breaches and Schrodinger’s Cat
Are sloppy security controls actually beneficial to a company during a breach? This is an elephant in the room for Incident Response after a potential breach. If there is no way to definitively show that data was or was not breached, does the company have to report the issue? If you’re an Incident Responder you’ve likely seen the scenario play out a number of times.
A retail merchant, Genesco is suing Visa over fines from a security breach. The claim is that Visa improperly imposes penalties that are legally unenforceable and in violation of contracts. Genesco had a security breach, but claims that there’s no positive evidence that any credit card data was breached. Here’s Genesco’s logic, from what I can tell:
- Whenever our server rebooted previously logged card numbers were removed.
- Our server reboots. A lot. So often that no credit card numbers were ever in the log files.
- We don’t have Network Security Monitoring that could say whether the credit card numbers were exfiltrated.
- We can prove that some of the card numbers Visa said were breached couldn’t have been. No details provided.
This is the Schrodinger’s Cat of information security. In the lack of good evidence either way, a breach both has and has not occurred. In the vacuum of that ambiguous information, whether or not the data has been breached is as much a question of philosophy as physics…or Incident Response. So poor security monitoring actually help companies by giving them options on whether to declare a breach or not. This is an interesting cocktail party discussion topic for your next Infosec meeting and can make for some great conversations.
But the lawsuit probably won’t be decided on the technical security details of the case. The lawsuit seems to be more about how and when Visa can assess fines and penalties. There may be some technical talk during the proceedings, but it’s doubtful that a court would open its judgement up to questioning by letting the decision rest on what is sure to be conflicting testimony by each side’s experts.
Still, this will be interesting to watch as it has a lot to do with implementation of Payment Card Industry security standards. Genesco seems to be saying that they were compliant with the PCI-DSS at the time of the breach. That’s a frequent claim after breaches, but that status is often revoked after the fact by the card brands. And that’s bound to bring out heated discussions around the Infosec community and potentially in the courtroom.