The local news is abuzz with a story of Boston convention attendees being victims of a credit card data breach. The impact is small - only about 300 people have been affected - but there seems to be a lot of finger pointing and shuffling around while the conference organizers and convention center try to figure out which vendor is to blame.
Did the breach occur at the Boston Convention & Exposition Center? They say no, and report that some of their employees have been affected, too (somehow proof they aren't to blame?).
Was the weak link the Westin Boston Waterfront Hotel, attached to the Convention Center, where conference attendees stayed? The hotel also denies responsibility, saying they see no evidence of breach in their systems.
Could it be the restaurant chain located in the hotel? Many attendees reported ordering drinks at two of the restaurants owned by the same management company, the Briar Group -- who incidentally paid fines in 2011 for failing to protect customer information in another malware breach. However, the Briar Group also says they see no problems in their systems.
It has yet to be determined who will ultimately be held responsible, but one thing is certain - future conference attendees may think twice before attending events at the Boston Convention & Exposition Center until this mess is cleared up - making the Convention Center another victim in this breach.
This is a scenario that is sadly familiar to many organizations who outsource sensitive data to vendors and partners. While the Convention Center does not actually have vendor relationships with any of these companies, the outcome is similar to what other organizations face when their vendors are breached: a data breach in an external network has impacted their reputation (and possibly their bottom line) regardless of "who" is at fault. This highlights the importance of knowing the security risks in your third party networks to reduce your risk of suffering similar consequences!
The Boston Globe reports that the data breach described above is larger than first imagined, affecting more than just convention attendees.
Based on initial interviews with credit card companies, Blair said the tally of victims could be “hundreds” more than those who have already reported unauthorized or fraudulent charges on their credit cards after visiting Boston.
The investigation is still underway, with no clear "source" for the breach. Police and investigators believe it is not a skimming incident, but likely the hack of a business or businesses in Boston whose computer systems were compromised.
The city, meanwhile, is taking precautions to assure tourists that their information is safe during a busy travel season, hoping to avoid reputational damage as a consequence of the breach.