Feeds

How much does a security breach actually cost?

And who pays for it?

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

Comment How much does a security breach actually "cost," and who pays for it? When the breach involves personal information, like credit card data, the answer is, a lot more than you may think. The problem is that the people who "pay" for the cost of the breach are rarely the ones responsible for preventing the breach.

A recent lawsuit filed in state court in San Francisco may, to a small extent, change that. The lawsuit was filed as an aftermath of the data breach by credit card processor Cardsystems, Inc., which resulted in the potential compromise of more than 40 million credit card numbers, and seeks to impose liability on Cardsystems for the true costs of failing to protect data.

We all know the familiar pattern of data theft, investigation, and begrudgingly, notification. In many cases, there is a general notification to the public about a data breach, which may or may not be followed by a specific notification to individual consumers that their information in particular was subject to compromise. Just in the past several months we have seen data losses or thefts from an alarming number of institutions: DSW Shoe Warehouse, BJ's Wholesale Club, Loewe's Hardware, Bank of America, Citigroup, Lexis/Nexis, and Atlanta-based Choicepoint. But nobody really knows the true cost of these data breaches - or for that matter, who really pays these costs.

The problem is, those responsible for securing our personal data are rarely the ones who pay the cost of securing it, and in many cases are not the same people with whom we have entrusted out data in the first place.

On June 27, Eric Parke of Marin County, California and Carmichael California bedding retailer "Royal Sleep" sued Cardsystems Solutions, Inc., as well as Merrick Bank, VISA and MasterCard in California State Superior Court as part of a class action lawsuit. Cardsystems had only days before announced that they had been the victim of a security breach involving as many as 40 million individual credit card numbers, but had delayed notification at the request of the FBI.

The FBI of course, announced that they had made no such request to delay notification to customers. Meanwhile, to date there have been no reports of any of the individual consumers whose credit card numbers were processed by Cardsystems having received notification that their credit card numbers were compromised. In fact, there is a dispute over how the fraud scheme itself was discovered - with Cardsystems claiming that they detected the fraud, MasterCard claiming that they detected the pattern of fraudulent charges and tracing it back to Cardsystems, and Australian credit card processors claiming that they detected and reported the fraudulent activity.

Now Eric Parke and Royal Sleep - as well as the class of people the purport to represent - may have suffered no loss at all. In fact, Mr. Parke is nothing more than a person who owns and has used a credit card. To date, there are a relatively modest number of people whose credit card numbers have been used without their authorization as a result of the breach at Cardsystems. But if you watch TV or read the papers, they all have the same advice for people who believe that their credit card numbers may have been compromised. First, review your statements carefully. Then get a copy of your credit report from each of the credit reporting agencies.

Obtaining such credit reports may be free, but then again it may not. A new U.S. federal law entitles some residents to a single free credit report (it is being rolled out nationwide) but even that may not be sufficient - particularly if you obtained your free report before the suspected break in. You are also entitled to a free credit report if you have been denied credit as a result of an application for credit - but what you really want is to know if you have been granted credit. Beware also of the services offered by the credit reporting agencies promising you a free credit report - this may not be the free credit report that you are entitled to under the law. Frequently these free credit reports are only free if you sign up for some other service - like credit watch services - which you are obligated to pay for if you do not cancel within a specified time period. So checking your credit report is not as easy as it appears.

Finally, you can put yourself of a credit fraud watch list or alerting list - meaning that before any credit is extended to you, you will be contacted by an "out of band" communications medium - like a phone. While this will help in the area of identity fraud, most companies will only allow you on the credit fraud watch list if you have been the victim of identity fraud already - and only for a short period of time. Sort of closing the barn door after the horse has been stolen. Moreover, if you are on such a fraud watch list, you might not be able to get your 10% "instant" savings at SEARS for opening a credit card there.

Security for virtualized datacentres

Next page: Related stories

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.