Home | Login      
Breach Suit Targets Security Auditor
Security services companies suddenly have a new worry – litigation that seeks to hold them accountable for the accuracy of their audits

Security services companies suddenly have a new worry – litigation that seeks to hold them accountable for the accuracy of their audits. Merrick Bank, a Utah-based bank is suing Savvis, the security auditor that certified CardSystems Solutions had met the Cardholder Information Security Program (CISP) standards. CISP is the precursor to today’s Payment Card Industry Data Security Standard (PCI DSS). Three months after Savvis certified CardSystems, the latter was hacked by intruders who installed a malicious script on its network and stole card numbers. The data belonged to card transactions that CardSystems had retained on its system and stored in unencrypted format, both violations of CISP standards.


The hack, which affected 263,000 card numbers, including those of merchants serviced by Merrick Bank, was discovered only in May 2005, was one of the first that was publicly disclosed under a 2003 California breach notification law. Shortly after the breach became public, VISA disclosed that CardSystems had not been compliant, had failed an audit in 2003. That earlier audit could become crucial evidence in the case against Savvis, if the plaintiffs can show that Savvis knew about pre-existing problems with CardSystems’ security and intentionally overlooked them or failed to ensure they’d been fixed.


This is believed to be the first time a security auditing firm has been implicated in a data-breach suit. Legal experts say the case marks new territory in data breach litigation and the potential liability of third parties that audit and certify the trustworthiness of those companies. The suit also issue raises questions about the due care placed on certifying certifiers.


Interestingly enough, DB Audit Expert could have helped mitigate this breach, see Strengthening PCI Compliance Posture with DB Audit Expert.  Database auditing is a valuable tool in securing the information infrastructure used to process and store credit card information. SoftTree Technologies’ DB Audit Expert delivers essential visibility into all database activity, enabling database administrators to identify both weaknesses and successes in the systems, processes and procedures used to secure payment card industry data.


Share this blog topic
Add to Digg it   Add to Twitter   Add to StumbleUpon   Add to Del.Icio.us   Add to Facebook   Add to Technorati   Add to Reddit   Add to YahooMyWeb   Add to Google bookmarks


This blog article does not have any comments.

  This blog article is locked. New comments are not accepted.