The Fraud Blog with Tracy Kitten

Learning From a Breach Response

Penn Station's Approach Offers Lessons
Learning From a Breach Response

The restaurant chain Penn Station's communication in the wake of a payments breach provides an example for others to follow.

See Also: Key Trends in Payments Intelligence: Machine Learning for Fraud Prevention

The chain is providing frequent, easy-to-find updates on its homepage, within the site and in a regularly updated list of frequently asked questions.

Penn Station's president, Craig Dunaway, has served as lead spokesman on the security incident. ... It's rare that I get return calls or even a response from organizations hit by breaches. When I do, I don't hear from presidents. 

Among the updates: On June 8, Penn Station, reported the tally of restaurants affected by its POS breach, which was announced June 1, grew to 65 from 43.

By comparison, many other companies that have experienced breaches have provided few updates - often burying any new information deep within their websites where it's tough to find.

Global Payments, for example, has provided few details and updates about its breach, now believed to have exposed sensitive details about 7 million credit and debit cards. And finding breach information on the payment processor's site is a challenge.

Executive leadership

In addition to providing easy-to-locate updates on its breach, Penn Station's president, Craig Dunaway, has served as lead spokesman on the security incident. When I called the company for information, Dunaway returned the call.

It's rare that I get return calls or even a response from organizations hit by breaches. When I do, I don't hear from presidents. I hear from a spokesperson or receive a cryptic e-mail response.

By responding to media inquiries on his own, rather than delegating to a spokesperson, Dunaway sends a strong message that he is taking the breach at his company seriously and is not hiding behind legal and PR departments for protection.

It's a strategy other corporate executives should follow.

Restaurant Breach Details

Dunaway told me Penn Station learned of the breach after a customer called to report that his card had been compromised shortly after dining at one of the chain's restaurants. Penn Station then contacted its processor, Heartland Payment Systems.

"We've been working with Heartland to address the issue," Dunaway said. "The key is to work with the Secret Service and get down to the bottom of what happened."

Dunaway says the investigation, so far, has not determined the source of the breach. And based on the company's transparency so far, I'm confident the cause, once it's found, will be revealed.

Penn Station suspects the compromise dates back to March. Debit and credit cards used during March and April may have been exposed. The chain has, however, now confirmed that no PINs were exposed in the attack, only names and card details.

"Penn Station restaurants only accept debit cards as a credit card, so no PIN information is collected by Penn Station, and, therefore, no PIN information was accessed," the company's June 5 update states.

Since learning of the breach, all individual owners of the affected franchised Penn Station locations have changed their methods for processing credit and debit transactions, the company says, although the exact methods they've enlisted has not been revealed.

Breach Transparency Matters

I blogged a couple of weeks ago about the frequent lack of transparency when it comes to breaches.

Transparency and full disclosure, within the bounds of investigation reasonableness, are important when beaches occur. Of course, organizations have to be sure they understand the basic details of a breach before they go public. But timely, honest notification is essential.

Does your organization have a post-breach communication strategy ready?

All organizations can learn from Penn Station's response to its breach. Getting the president or CEO involved in the response strategy benefits everyone, and shows your organization is committed to keeping the public informed.



About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.