Merrick vs. Savvis
The buzz around the cyber security community this week is a court case where a bank has filed suit against a audit firm for damages from a breach. I guess this was just a matter of time before banks began blaming someone else for their lack of security, but this is an interesting case that could have huge consequences.
The auditor in question, Savvis, was responsible for the audit of CardSystems. For those unaware, the CardSystems was one of the largest data breaches in history. Savvis certified that CardSystems was CISP (the precursor to PCI) compliant. As a result Merrick lost millions in fraud claims and replacing cards.
Do we have companies out there giving out PCI compliance without completely doing an audit? Can companies purchase compliance instead of changing their security practices? If this is the case, the whole system breaks down. The credit card companies and consumers rely on these audits to ensure their data is safe.
The other part to this is that no matter how good the auditor, its not common for vulnerabilities to slip through the cracks. I can speak from experience, getting the entire picture when doing an audit is difficult – especially if the company is not cooperative. Companies can look compliant on paper and during an inspection, but revert to insecure practices after the audit. This case could set a dangerous precedent for auditors. I can see the prices of audits going up exponentially to pay for the errors and omissions insurance!