The Way from Data to Information

Data Mining

Subscribe to Data Mining: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Data Mining: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Data Mining Authors: William Schmarzo, Robin Miller, Progress Blog, Rostyslav Demush, Jnan Dash

Related Topics: Data Services Journal, SSL Journal, Data Mining, Security Journal, Secure Cloud Computing

Secure Clouds : Blog Feed Post

Breach Is The Word, Is The Word, Is The Word That You Heard

26 Security Stories

…to the tune of $6.6 Mil per-r-r Breach.  Yup – according to Ponemon Institute the average cost of a data breach is $6.6 million and they also report that it costs about $215 per compromised record (pdf).  McAfee estimates $1 trillion in losses yearly, due to data theft – that’s 10 to the 12th dollars.  Imagine if IT budgets could get that back?

The past two years saw a significant increase in large scale attacks with the January 2007 TJX breach starting the massive flurry.  As of October 2007, TJX said that more than were 94 million accounts affected at a cost of over $256 million.  At the time it was the largest data loss incident to date.  The crooks kept it up, however.  Hannaford Grocers was hit Dec 2007 but they didn’t discover it until February 2008 and announced in March 2008 that 4.2 million cards had been exposed  leading to over 1800 cases of fraud.  In both cases thieves were able to capture the data, in clear text, as it traveled over the network.  December 2008, at the height of the economic crisis, both Checkfree.com (online bill pay) and RBS Worldpay (payment processor) announced they had been infiltrated.  Checkfree with a DNS switcheroo and RBS Worldpay with a straight up ‘they broke in.’  RBS had 1 million accounts compromised and Checkfree, 5,000,000.  Payment card data was the top target in 2008.

dilbert

Then at the start of 2009, instead of hitting individual retail chains, hackers decided to go after the big score – and boy was it.  Heartland Payment Systems, which processes about 100 million credit card transactions a month was compromised and it unseated TJX as the largest breach ever in the US.  This too was a case of malware planted on the network and thieves able to capture clear text data in transit.  In addition to Heartland, initially over 220 issuing banks were affected by the breach and that grew to 656 by June 2009.   The total number of accounts compromised is still unclear.  The common theme in many of these breaches is that the hit companies were PCI compliant.  Currently, PCI  does not require encryption during transmission of sensitive data on internal networks – where most of these occurred.  Ignoring the lawsuits, fines and bad press, the bright spot in all this is Heartland has instituted end-to-end encryption of all data (although some question the overall effectiveness) and has developed new equipment in the wake of the fiasco.  This one is still playing out.

One stat I remember but can’t remember the source (sorry for forgotten reference) is that 60 percent of companies had experienced a data breach in last year. However, only a minority of six percent could say with certainty that they had not experienced any such breaches in the past two years.  Yikes.

ps

Previous blogs covering some of these:


ps

The 'lost' paragraph - added Aug 2:
I meant to include this thought in the original post but forgot.  The other silver lining in all this is that the companies that have been breached, and the above just got the most press, are probably more secure than they ever were.  The breaches have made them more aware of their vulnerabilities and they have taken additional measures to ensure it doesn't happen again.  While brands can suffer after public disclosures, one could argue that the experience & knowledge gained - post breach - actually puts them in a better, more secure position moving forward.  ps

More Stories By Peter Silva

Peter is an F5 evangelist for security, IoT, mobile and core. His background in theatre brings the slightly theatrical and fairly technical together to cover training, writing, speaking, along with overall product evangelism for F5. He's also produced over 350 videos and recorded over 50 audio whitepapers. After working in Professional Theatre for 10 years, Peter decided to change careers. Starting out with a small VAR selling Netopia routers and the Instant Internet box, he soon became one of the first six Internet Specialists for AT&T managing customers on the original ATT WorldNet network.

Now having his Telco background he moved to Verio to focus on access, IP security along with web hosting. After losing a deal to Exodus Communications (now Savvis) for technical reasons, the customer still wanted Peter as their local SE contact so Exodus made him an offer he couldn’t refuse. As only the third person hired in the Midwest, he helped Exodus grow from an executive suite to two enormous datacenters in the Chicago land area working with such customers as Ticketmaster, Rolling Stone, uBid, Orbitz, Best Buy and others.

Writer, speaker and Video Host, he's also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others.