Feeds

How much does a security breach actually cost?

And who pays for it?

  • alert
  • submit to reddit

High performance access to file storage

Comment How much does a security breach actually "cost," and who pays for it? When the breach involves personal information, like credit card data, the answer is, a lot more than you may think. The problem is that the people who "pay" for the cost of the breach are rarely the ones responsible for preventing the breach.

A recent lawsuit filed in state court in San Francisco may, to a small extent, change that. The lawsuit was filed as an aftermath of the data breach by credit card processor Cardsystems, Inc., which resulted in the potential compromise of more than 40 million credit card numbers, and seeks to impose liability on Cardsystems for the true costs of failing to protect data.

We all know the familiar pattern of data theft, investigation, and begrudgingly, notification. In many cases, there is a general notification to the public about a data breach, which may or may not be followed by a specific notification to individual consumers that their information in particular was subject to compromise. Just in the past several months we have seen data losses or thefts from an alarming number of institutions: DSW Shoe Warehouse, BJ's Wholesale Club, Loewe's Hardware, Bank of America, Citigroup, Lexis/Nexis, and Atlanta-based Choicepoint. But nobody really knows the true cost of these data breaches - or for that matter, who really pays these costs.

The problem is, those responsible for securing our personal data are rarely the ones who pay the cost of securing it, and in many cases are not the same people with whom we have entrusted out data in the first place.

On June 27, Eric Parke of Marin County, California and Carmichael California bedding retailer "Royal Sleep" sued Cardsystems Solutions, Inc., as well as Merrick Bank, VISA and MasterCard in California State Superior Court as part of a class action lawsuit. Cardsystems had only days before announced that they had been the victim of a security breach involving as many as 40 million individual credit card numbers, but had delayed notification at the request of the FBI.

The FBI of course, announced that they had made no such request to delay notification to customers. Meanwhile, to date there have been no reports of any of the individual consumers whose credit card numbers were processed by Cardsystems having received notification that their credit card numbers were compromised. In fact, there is a dispute over how the fraud scheme itself was discovered - with Cardsystems claiming that they detected the fraud, MasterCard claiming that they detected the pattern of fraudulent charges and tracing it back to Cardsystems, and Australian credit card processors claiming that they detected and reported the fraudulent activity.

Now Eric Parke and Royal Sleep - as well as the class of people the purport to represent - may have suffered no loss at all. In fact, Mr. Parke is nothing more than a person who owns and has used a credit card. To date, there are a relatively modest number of people whose credit card numbers have been used without their authorization as a result of the breach at Cardsystems. But if you watch TV or read the papers, they all have the same advice for people who believe that their credit card numbers may have been compromised. First, review your statements carefully. Then get a copy of your credit report from each of the credit reporting agencies.

Obtaining such credit reports may be free, but then again it may not. A new U.S. federal law entitles some residents to a single free credit report (it is being rolled out nationwide) but even that may not be sufficient - particularly if you obtained your free report before the suspected break in. You are also entitled to a free credit report if you have been denied credit as a result of an application for credit - but what you really want is to know if you have been granted credit. Beware also of the services offered by the credit reporting agencies promising you a free credit report - this may not be the free credit report that you are entitled to under the law. Frequently these free credit reports are only free if you sign up for some other service - like credit watch services - which you are obligated to pay for if you do not cancel within a specified time period. So checking your credit report is not as easy as it appears.

Finally, you can put yourself of a credit fraud watch list or alerting list - meaning that before any credit is extended to you, you will be contacted by an "out of band" communications medium - like a phone. While this will help in the area of identity fraud, most companies will only allow you on the credit fraud watch list if you have been the victim of identity fraud already - and only for a short period of time. Sort of closing the barn door after the horse has been stolen. Moreover, if you are on such a fraud watch list, you might not be able to get your 10% "instant" savings at SEARS for opening a credit card there.

High performance access to file storage

Next page: Related stories

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.