by Jimmy Marks
...I've had small breaks (80 member accounts affected) and fairly big breaks (400 member accounts affected). There's the estimated ~$15 you spend reissuing cards and closing accounts. And then there's the ~$10 you spend on credit monitoring on the accounts. That's ~$25 per account, so at worst it's about $10,000 that I've had to account for after a breach. And that's why, recently, there's a thought that's been troubling me.
The thought that the breach of Heartland Payment Systems has the potential to affect up to 100 million accounts. Click here for the CU Journal article.
100 million! One. Hundred. Million. I'm hoping the math makes sense for you here, because 100 million times $25 equals $2.5 BILLION. In losses and monitoring and trouble and waste.
Technology-wise, not much info out there about what was involved except some sort of malware on computers. Not much excuse for that these days. A payment processor should be especially vigilant about what ends up on their internal systems.
That being said, spyware is keeping one step ahead of the anti-malware industry and is getting trickier. There’s profit in spyware and hence motivation and funding to make it really good at what it does. The same motivation didn’t really exist for plain ol’ viruses, which were generally meant to just wreak havoc.
There’s no one magic-bullet for data security. It’s a layered approach that must protect data while not getting in the way of employees doing their jobs. It’s a tough balance to strike. I’m sure there’s an IT staff at Heartland who thought they were doing all the right things. Clearly, they missed something. It’s an opportunity and a reminder to the rest of us to review our systems and look for the holes. What was sufficient a year ago is probably horribly antiquated now.
Rob recommended a book:
I.T. Wars: Managing the Business-Technology Weave in the New Millennium by David Scott (click here to order on Amazon).
Certainly a good read if you're tangled up in security issues. Or if you're not as tangled up as you should be.