Its ten days since Betfair’s Director of Security, Sean Catlett, fell on his sword after the frankly unbelievable data breach at Betfair. In those ten days everyone has talked about the fact it was hushed up due to Betfair’s impending float on the London Stock Exchange in October 2010. But that’s hardly surprising is it? The key point is it happened. Not going public is a matter for Betfair and its shareholders, who bought their shares in good faith, blissfully unaware of the theft of millions of credit card details. The point is, this is an online gambling business – securing their customers’ card details is critical. How did it happen?
We are now ten days on and I am quite surprised that there has been no hysterical mainstream media coverage. In fact, only the Telegraph seems to have paid it much attention. I realise there has been some stiff competition for news coverage of data breaches and the NHS seems to have managed the most column inches, a dubious distinction. Sony are challenging with their lockdown yesterday – all of these have been widely reported. I wonder if editors are becoming tired of reporting such breaches as they appear to be happening with monotonous regularity.
Another source of confusion for us here at Advent IM, as Security Consultants, was that Betfair had ISO27001 and we are presuming (a dangerous thing to do) were/are fully PCI compliant. One wonders then, what kind of ongoing compliance checking was happening. Gaining accreditation is important, of course it is, but its the first step on the route to risk managed data security. Threats change all the time and complacency can lead to situations like 3.15 million credit card details being stolen.
Continual checking, refinement, improvement is the way of good quality security policy whether that is ISO27001 or PCI compliance. Complacency invalidates the work required to gain accreditation and secures very little.