Euronet reports breach at European business

Payment processor Euronet Worldwide Inc said a “small portion” of its European business was the target of a criminal security breach late last year, sending its shares down as much 6 percent… – http://www.reuters.com/article/2012/01/23/us-euronetworldwide-idUSTRE80M2ET20120123

What's worrying here that when you're dealing with a payment processor, even a “small portion” can add up to a huge number of potentially compromised credit cards.  Being one of the biggest processors worldwide (market value close to $1bn), then I get the feeling someone somewhere is trying to play things down.

According to Euronet's CEO, Michael Brown, they were informed about the breach by the card schemes.  So they didn't even have the processes in place to detect the breach themselves.  Which gets interesting.  Brown then goes on to say “When we heard the first little inklings of this, we jumped in, figured it out, got third parties involved who are real experts at this, and closed the breach… between our discovery and our shutdown, it wasn't a long period of time.”.  So is this saying that Euronet aren't experts at detecting and dealing with security breaches?  I wonder…

There's mention that “Expenses from the breach were less than 1 cent per share in the fourth quarter of 2011.”.  According to nasdaq.com, Euronet currently have 50,000,000 shares outstanding.  At one cent a share, that's $500,000.  Which is quite a high expense in my opinion, to deal with a “small portion” of its European business.  That buys you a team of top notch forensic investigators for a year and access to some of the best security solutions around.

They had been audited in the past by one of the best known QSAs, whom no doubt did a thorough job, but it just goes to show that an audit can only help you so much.  It can never be absolute and always depends on just how much money an entity is prepared to spend on an assessment.  Period.

What happens next, I'm not sure.  Maybe when dealing with a $1bn company data breaches are just small fry and they can just gobble up the costs, but playing it down to be an insignificant event is wrong.  They should know better, as companies like this form the backbone of finance for private companies and SMEs and a lax attitude is exactly what encourages other companies that follow in Euronet's footsteps to drop their guard.

Be vigilant.  If you're a payment processor, be worried – there are criminals that are specifically targeting this area, whom have the resource and know-how to hack into a $1bn company that's already paid through their teeth for security controls and an extensive PCI DSS audit.