This is just an estimated number, could be bigger! Hit the jump for the full story on the data breach.
+TatWZA
X
Shotta Dru on Google+
It’s still a mystery how many MasterCard and Visa customers will be affected by the recent breach at a credit card payment processor. Regardless of the actual size of the breach, businesses are the ones who will be held liable.
If the original estimate from Brian Krebs, the security expert behind Krebs on Security, stands, a single retailer could potentially be on the hook for a whopping $1.6 million, according to a data breach assessment generated by CO3 Systems.
CO3 Systems helps businesses assess data breach incidents and develop incident response plans to navigate the maze of compliance and regulatory requirements through its data loss management platform. Sources told Krebs the breach was “massive” and may involve more than 10 million records.
Estimating Data Breach Liability
It sounds perfectly plausible that of the potential 10 million records stolen, one million came from one retailer. I can think of plenty of retailers (electronics giants, bookstores, apparel retailer, department stores) that easily have a million credit card transactions going through one payment processor. We ran the CO3 assessment for a hypothetical retailer who had one million records exposed as part of this breach.
Despite all the details we still don’t know about, it’s clear there is a lot of work ahead for organizations affected by this breach. Even though the breach happened at the payment processor level, the banks and the retailers are the one who have to notify the affected victims, said Ted Julian, the CMO of CO3 Systems. Each state has its own set of disclosure requirements, as well, which makes the process even more complicated.
The assessment identified the steps a business has to take after a breach, such as compiling a list of affected individuals, creating an FAQ with relevant information, and notifying relevant regulators and authorities. It also calculated potential liability for the business if those steps are not completed on time. The figure is based on the expenses incurred while notifying the victims and potential regulatory fines if the company misses a step.
With 46 different state laws on how to disclose a data breach, it’s not that far-fetched to think that an organization may make a mistake or not act fast enough, Julian said.
It’s also important to remember that the $1.6 million potential liability doesn’t take into account any fraudulent activity that may have occurred.
Smaller Breach, Not a Smaller Liability
The Wall Street Journal reported that the breach occurred at Global Payments, an Atlanta-based credit card payment processor and that only 50,000 consumers are affected. Global Payments confirmed the breach late Mar. 30, but did not say how many records were exposed.
I re-ran the assessment assuming that our hypothetical retailer had 25,000 records at risk. The potential liability dips slightly, to $1.2 million. That’s still a significant chunk of change for a business to shoulder.
Size Does Not Matter
This won’t be the first such attack on a credit card payment processor. Attackers breached Heartland Payment Systems in 2009 and exposed more than 100 million credit and debit cards. The perpetrators, who have not yet been caught, reportedly spent weeks lurking in the company’s network and gathering information and intelligence before waltzing off with the card data.
Just because this incident is much smaller than the Heartland breach, we shouldn’t make the mistake of downplaying the severity of the situation, Anup Ghosh, founder and chief scientist of Invincea, told me. The damage to the consumer is just the same, such as fraudulent charges on the credit card and the risks of identity theft. Businesses will still have to notify affected customers. Small or large doesn’t matter, when you consider that credit card fraud costs U.S. businesses (including merchants) $52.6 billion annually, according to Federal Reserve statistics.
“Affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase,†Krebs wrote.
