When Data Breaches Go Beyond Payments
When Data Breaches Go Beyond Payments
If you’re reading this, your personal data has been exposed in a data breach. You’re another number, another statistic, another victim. If you’re reading this, you’re also probably aware that data breaches are a major problem for every company that accepts credit or debit card payments or otherwises transmits or stores personal data.
Data breaches are not a new problem, but they do seem to be getting worse. For more than a decade, cybercriminals have been zeroing in on vulnerable targets to extract sensitive information to be used for nefarious means. In 2005, DSW was breached in the first instance that compromised more than 1 million records. That same year, George Mason University became the first college breached, exposing the Social Security numbers of tens of thousands of students and staff.
Breaches have become an epidemic and hackers are becoming more and more shrewd in tactics and more brazen in who they target. Higher education institutions that house sensitive payment card data must be vigilant and evolutionary in how they protect this type of data; however, they must also understand that data breaches go beyond payments, too.
When Business Becomes Personal
When it comes to cybercriminals, it’s not personal, it’s strictly business. Except that stolen data is personal, and is sometimes used for much more than identity theft.
Earlier this month, Australian National University suffered a hack at the hands of China, according to intelligence officials. The breach compromised almost 20 years’ worth of personal data from students and staff, affecting thousands of people. Bank numbers, tax information, academic records and passport info were all included in the compromised records.
The scariest part is that identity theft or financial gain from stolen bank data doesn’t appear to be the primary purpose for the breach. Instead, intelligence officials posit that the data may be used to recruit students and alumni of the university as informants. The institution houses two departments that have close ties to government departments and agencies (School of Strategic and Defence Studies and the Crawford School of Public Policy), making it a particularly enticing target for bad actors looking to infiltrate the government.
(In)Actions Have Consequences
Most treasury departments at colleges and universities understand that there are significant (negative) impacts that result from data breaches. More often than not, the unauthorized use of payment information tops the list. However, treasury departments should also consider the other implications of data breaches that can have a long-lasting impact far beyond the incident itself.
When sensitive information—and the processes around how to handle, transmit, and store it—is not secure, universities put themselves at risk for:
Financial losses: In addition to what may be stolen in a breach, universities face substantial regulatory fines and settlement payments.
Legal action: Breaches that expose personal information can put universities at risk for class action lawsuits. Those found to be out of compliance can actually lose processing privileges altogether.
Reputational damage: This one is closely tied to financial losses as a damaged reputation can lead to drops in enrollment and donor withdrawal. Those found to be responsible can have their individual reputations tarnished, and may be fired for forced to resign.
Operational chaos: Hacks and breaches throw a wrench into operational procedures, especially during post mortems to address and investigate how the breach occurred in the first place. Loss of key data can wreak havoc on operations, especially where data may need to be replicated.
To avoid these—and other—poor outcomes, universities must avoid inaction when it comes to securing and protecting data.
Getting Centered Around Cybersecurity
Arrow Payments understands cybersecurity and we can help you zero in on bad actors before they zero in on you. We work directly with campus treasury departments, IT, and PCI teams to keep data safe and bad guys at bay.
Our consultants can assess a university’s risk and work with all integral teams and vendors to create a PCI-compliant roadmap for securing sensitive data. We are point-to-point encryption (P2PE) experts, so we can also explore ways to reduce PCI scope.
At the end of the day, our primary goal is to help you create a seamless, secure payments system that allows you to keep students and staff happy...and their sensitive data safe. Contact us today to get started.