How Long Did The ‘Biggest Data Theft In History’ Go Unreported?

I continue to be intrigued, but somewhat perplexed, by the CardSystems security breach that happened nearly two months ago now. Who knew it first, and who told who, and when? And why did it take so long to tell the rest of us?

A U.S. company claimed it was its software that first spotted the breach last year, in a press release issued July 13:

ACI Worldwide (Nasdaq: TSAI), a leading international provider of enterprise payment solutions, today announced that its ACI Proactive Risk Manager™ software helped National Australia Bank (NAB) detect the recently revealed security breach at CardSystems Solution before any other bank or financial institution.

But did it? The press release from ACI quotes Australian Treasurer Peter Costello as having “recently told Parliament that National Australia Bank was actually the first bank in the world to uncover the fraud”:

“It was the NAB that uncovered this fraud out of all the domestic and international banks of the world and reported it to MasterCard and Visa in September 2004,” said Costello.

Wow. That’s eight months before anyone else, since CardSystems didn’t announce the fraud until May 22 2005. So what did the Australian media say about this?

AAP reported June 22 (sorry no links for these, they’re from Factiva) quoted Costello as saying:

“It was the NAB that uncovered this fraud out of all the domestic and international banks of the world, and reported it to Mastercard and Visa in Sept 2004,” he said. Mr Costello said the US Federal Bureau of Investigations began investigations soon after the fraud came to the attention of Visa and Mastercard.

He said the FBI declared the issue a crime scene only on June 1 this year. “During this investigation organisations were told by the FBI not to say anything publicly, and the FBI only allowed public comment on Thursday or Friday last week,” he said.

A Reuters report, covering the same press conference (or whatever it was; neither wire is clear on where Costello was speaking) quoted Costello as saying December, not September. An updated report from Reuters the same day adds comments from MasterCard and Visa that shed further light on this:

MasterCard spokeswoman Sharon Gamsin said, “We said from the beginning that it was reports of fraud from issuers that enabled us to do the analysis that led to CardSystems and led to the scope of this incident. One report of fraud would not necessarily have gotten us to that point.”

Visa spokeswoman Rosetta Jones said that when her company detects fraud, “banks are notified and accounts are closed. In this case, the National Australia Bank may have detected fraud late last year, but there was no clear indication that this fraud was part of a larger data compromise at that time.”

Finance Minister Nick Minchin said in an address to Australia’s parliament that Australia & New Zealand Bank Ltd. , Commonwealth Bank Ltd. and NAB had each been monitoring the fraud since December and had canceled and reissued cards where transaction were suspect.

An AAP story two days later adds further detail:

As long ago as December last year, round-the-clock fraud squads at the four big banks had picked up on a pattern of unauthorised transactions on their customers’ credit cards, originating out of the United States.

Treasurer Peter Costello told parliament this week that National Australia Bank was actually the first bank in the world to uncover the fraud, which has been traced to a security breach at a US company that processes transactions.

The Australian banks contacted about 2,000 affected customers and issued them with replacement cards months before MasterCard’s announcement this week.

This raises a host of issues that I’ve not seen addressed elsewhere. If the Australian banks saw this fraud so early, why did it take so long? The Australian Financial Review (subscription required) today pointed out these inconsistencies and the fact that California credit card holders have filed suit in San Francisco against CardSystems, Merrick Bank, Visa and MasterCard, claiming “the companies should take responsibility for the security data breach”:

CardSystems has claimed it did not discover the security breach until May 22, 2005. But it is now known MasterCard and Visa were alerted to fraud resulting from the data breach as early as January. The complaint also alleges Visa and MasterCard failed to take “prompt remedial action” or take steps to notify affected consumers.

“Defendants, by failing to timely disclose the security compromise or data theft to affected consumers and merchants, are attempting to shift the burden of discovering resultant fraud away from themselves, even though they are responsible and are in a better position to discover and prevent fraud to consumers and merchants.”

Visa and MasterCard have defended their handling of the incident, saying they had to be sure CardSystems was the source of the data spill before going public.

So, as far as we can deduce from this, NAB, via its fancy software, spotted some kind of fraud taking place. That information was passed on to Visa and MasterCard sometime between September 2004 and January 2005. The FBI passed this information onto CardSystems at some point, although why everyone decided to sit on the information is unclear. Their initial statements, which I illustrated in the original post, will probably require some finessing at some point as the suit passes through the legal system.

Is A Joke Not A Joke If The Internet Has Already Heard It?

I’m staying at the Amara Hotel in Singapore which has lifts/elevators built by Swiss-based Schindler, and, of course every time I get in I chuckle to myself about the fact that I’m in Schindler’s Lift. But surely, I thought this morning, I’m not the only person to think of this, and to find it tirelessly amusing? So I checked.

Turns out a lot of people have thought the same thing. Google has 237 matches for ‘Schindler’s Lift”, including here, this one (which mentions that the company itself is aware of the pun, although it’s not clear whether they still find it amusing), this one (another one where a picture is available), this one, another one (Australian this time, clearly the joke has no physical border), another one, another one, one more, one more, another one (this time from a lawyer), another one (from a nerd newsgroup; clearly the joke is not confined to bookworms), another moblog one, another one, this one from a trip to Japan, this one, from a French hotel that apparently had gone to the trouble to institutionalise the joke with a plaque, another very recent moblog one, this one from Benidorm (where quite a few such jokes seem to have originated), this from Belgium, another one (not from Belgium), one from Safeways, this one, which narrates a tale that Kurt Cobain was supposed to have cracked the same joke at some point, this one (which illustrates the genre quite well: “We apparently needed an elevator to get into it. We got in, pressed 3, and the doors shut. The brand name read “Schindler”. “Schindler’s lift,” I suggested, and we collapsed laughing against the wall for a while, possibly delirious with hunger by now, before finally realising when the doors opened that the lift hadn’t even moved”), there’s even a website dedicated to expats in Prague called Schindler’s Lift, and on and on they go…. (trust me).

It’s like tracking a disease. I suppose I should be doing them chronologically. What I can say is that the joke is always the same. Sweet, really. All those folk chuckling, like me, at their own joke as they ride up and down, snapping away with their cameraphones as the lift operator rolls his eyes and thinks to himself, This would never happen if Spielberg had stuck with Schindler’s Ark, the title of Thomas Keneally’s book.

More importantly, this has worrying implications for the future of humour. If we realise that our bad jokes have been told at least 237 times before, almost word for word, across the world (excluding, possibly, those parts of the world that call lifts ‘elevators’ and where people might consider the joke in any case tasteless), does it make them any less funny? Should we stop cracking jokes until we’ve checked them first on the Net? And should all the folks who thought up the (now, after all this Googling, very tired) Schindler’s List joke acknowledge their brains work in slightly different (not better, just different) ways, and form a club or something?

Me? I promise not to crack another Schindler’s Lift joke ever again, and to be really careful before cracking other ‘jokes’ unless I can verify it hasn’t already become an Internet dud. And if there’s a club I want to be treasurer.