Friday, June 19, 2009

Comprehensive Study of Financial Data Security Breaches in US 2008


A whitepaper, entitled: A Comprehensive Study of Financial Data Security Breaches in the United States - 2008 published by Perimeter Security's Chief Archietect, Kevin Prince reveals some interesting information:  Here are some of the finer points:

Abstract
New laws and regulations regarding data security breaches and disclosure laws affect the way in which financial institutions do business. This study provides a review of the scope and impact of data security breaches in the financial industry in an effort to encourage proactive modification to risk mitigation technologies, policies, and procedures that reduce exposure to a data breach incident.

The data breaches mentioned in this report exposed personal information that is useful to identity thieves for unlawful purposes. This information could include Social Security numbers, account numbers, and driver’s license numbers. Some breaches that did not expose sensitive information have been included to underscore the variety and frequency of data breaches. The breaches include only those reported in the United States.

What is a Data Security Breach?


Nearly all organizations maintain records of their customers and employees. A data breach occurs when that information falls into the wrong hands, is extracted, viewed, exposed to, or captured by an unauthorized individual. The following are some examples of data breaches that have happened in just the past few years:


According to laws in over 45 states, when a data security breach occurs, notification must be made to the affected individuals. Depending upon the size and scope of the breach, notification can be handled in a variety of ways, including by mail, telephone, e-mail, or through the news media. 


According to a survey taken at a recent RSA conference, only 11% of companies disclosed security breaches that occurred in 2008.  Therefore, the number of breaches we know about and can be analyzed in this study are a small percentage of all data breaches.

Cost of a Security Breach


The costs of recovering from a security breach vary depending on the type of company or industry, the circumstances surrounding the security breach, type of data compromised, liability, and so forth. Many organizations are required by federal law to perform risk assessments to determine their exposure to a variety of threats and risks. To perform a comprehensive risk analysis, an organization needs to know what it would cost to recover from a given compromise.

According to a Ponemon data breach report22 recently updated, the average cost of a data security breach is $6.6 million and more than $200 per compromised record. The report, sponsored by PGP Corp., examined the costs incurred by 43 organizations that experienced a data breach. Breaches ranged as high as 113,000 records and the average total cost per company ranged from more than $613,000 per breach to nearly $32 million.

Editor's Note: Wow...$200 per compromised record?  That means if the Heartland Payment Systems hack gained access to (according to many reports) 100 million records, the final tab would be in the $2 Billion dollar range.  How could they possibly survive? 
Speaking of Heartland, the report mentions them prominently:

Heartland Payment Systems Case Summary

Until recently TJX Companies held the top spot in total number of records compromised in a data security breach at 45.6 million records. Heartland Payment System of Princeton New Jersey announced that they experienced a data security breach that is believed to be the largest in U.S. history. The number of records compromised start at the 100 million mark but could reach much higher.

Lawsuits have already been filed against Heartland. (click here for the Banks vs. Heartland Class Action Lawsuit)  The lawsuits seek damages and relief for the “inexplicable delay, questionable timing, and inaccuracies concerning the disclosures” with regard to the data breach.

The attack was much more sophisticated than TJX and is similar to Hannaford (the New England based grocery store chain that had a 4.2 million record security breach) where malware was loaded on servers where payment transactions were routed. Hannaford was notified by the FBI that 1800 fraud cases were linked to cards used by Hannaford customers that lead investigators to find the malicious software. Heartland was notified by Visa and MasterCard of suspicious activity surrounding processed card transactions.

The company found evidence of malicious software that compromised card data that crosses Heartland’s network. Initial investigation suggests this may be the result of a global cyberfraud operation. The 100 million records being breached is being assumed because that is how many transactions they process each month, which the malware had access to. Currently it is unknown how many months of information were captured. It is also unknown at this time the various data types of information captured.




Reblog this post [with Zemanta]

Disqus for ePayment News