16.1.1 The First Cyber Attacks: Card Data Breaches

When we started working on operational risk, 10–15 years ago, some of our clients considered IT risk and logistics as a common risk domain. This seemed justified at that time, since these are support functions that are not directly linked to the banking business. Compared to other support functions, such as human resources or accounting, IT and logistics are much more technical and require extensive expert knowledge. The nature of the knowledge involved makes communication between risk analysts, business experts, and technical experts sometimes difficult.

By considering buildings, power supply, telecommunications, and information technology within a broad logistics function, the types of risks considered were implicitly limited to external supply failures or internal errors or failures.

If this seems like a distant past to you, it is worth remembering that in 2001, less than 20% of American households had an online bank account, and only 50% banked online in 2009. An interesting infographic on this topic is available on the Wells Fargo website¹.

The only domain for which the explicit notion of attack was identified was card payment. France, a country considered to be the inventor of the smart card², has always been a pioneer in the field of credit card payment. The creation by French banks of an economic interest grouping, “GIE Carte Bancaires”³, to share the technical infrastructure ...