Wednesday 21 January 2009

Billion Dollar Breach

The World’s First Billion Dollar Breach?

The Heartland breach could be ushering in the next wave of major criminal security breaches, targeting credit card processors, which deal with a much higher volume of stored credit card data than traditional retailers. Although the company has not indicated exactly how many records have been compromised, and they may not know, Heartland has acknowledged processing 100 million credit card transactions each month and other sources suggest as many cards may be at risk.

The cost for replacing a credit card is around $15, apparently. So, the breach at Heartland could cost credit card issuers $1.5 billion in replacement costs alone – ignoring the impact of any fraudulent transactions. Even if a much smaller fraction of the processed records was affected, the cost will still run into hundreds of millions of dollars. To put the cost into context: This is TJX on steroids.

The question is: who will end up paying these clean up costs? It seems unlikely Heartland will carry them all, though the breach occurred on their watch. Initially, the credit card companies bear most of the cost, but they will undoubtedly seek to pass these fees on to insurers, merchants and consumers alike.

At least Heartland is seeking to shut the door after the horse has bolted – a well-trodden security path. They claim to be implementing “a next-generation program designed to flag network anomalies in real-time” which is to be welcomed. Such new behavioural-based approaches are essential to spot the kind of sophisticated exploits which so easily defeat discredited signature-based systems.