BreachBytes

We reported on the Heartland Payment Systems breach yesterday. Today we are following up with a list of articles covering the breach. Information is still coming out and will be for a long time. That has not stopped the media from labeling this the biggest data breach of all time.

• Hearland Payment Systems press release. The company’s official position on the breach.
• USA Today: Hackers breach Heartland Payment credit card system. Good background and a comparison to the magnitude of teh TJX breach.
  
• ZDNet Blog: It’s a good day to disclose the largest credit card data breach ever . We are already jumping to the conclusion that this breach is bigger than TJX although there is noo such evidence at present to support this.
• ComputerWorld Blog: Biggest ever credit card data breach.
• KYPost.com: Hackers Prompt Local Bank To Disable Debit Cards. Interesting coverage showing the early impact of the breach on a small bank in Kentucky. This is the first of many to follow.

We will refrain from commenting on the breach until more solid facts emerge. We willcontinue to relay facts to our readers as they come.

Just about every news site that tracks computing, networking or security is reporting on the Heartland Payment Systems breach. Check out this coverage from CNET. Details are still sketchy and still emerging as is always the case in early-stage data breach reporting. These things take a long time and a lot of man-hours to analyze. We will likely be hearing about this one for months on end, especially if early reporting is correct in the scope and duration of the breach.

People are suggesting that this breach could beat the TJX breach in terms of the number of credit card accounts exposed to the intruders (”unknown hackers” at this point). The sheer volume of transactions handled by Heartland (100 million a month) makes this a potentially damaging breach to many consumers.  However, the company itself does not even know as of yet how many unique cards it has processed transactions with over the year or more that the intruders were active on their network. 

Robert Vamosi has a nice overview of two recent reports on his Defense in Depth blog, the first on data breaches and the second on identity theft. The interesting figures from both reports: 9/10 breaches could have been prevented by following best practices and 57% of identity thieves use the information to open new lines of credit (not too surprising).

A summary of the Verizon report on data breaches is available here while the entire report can be found here as a PDF. Likewise, a summary of the identity theft report can be found here and the full version here as a PDF.

There have been several blog posts and articles that have come out lately that have to do with compiling the statistics behind the cost of a breach and the probability of data loss. There is no shortage of these types of statistics but they seem to be getting more granular and informative.

On the Data Auditing Blog there is a good two part series authored by Prat Moghe the founder of Tizor. In the first part of the series he compiles a report from a ITRC (Identity Theft Resource Center) press release on the number of losses. What’s impressive about Moghe’s work is that he not only cites the ITRC numbers be he goes on to compare them against some of his own research and analysis based on information in the Attrition database. Here are to interesting snippets from the post:

1. “They [ITRC] concluded that 2007 had 443 breaches with 127MM losses, vs. 315 breaches and 20MM losses in 2006. This means 40% growth in breaches between 2006 and 2007. “
2. “It turns out that the average loss per moderate loss incident is roughly constant! Yes - across all three years - it is roughly 50,000 losses per incident. (Precisely, this loss was 55K (2005) vs. 50K (2006) vs. 45K (2007)).”

While it seems counter-intuitive, Moghe points out that there may even be a “loss constant” (ie what an enterprise can expect in terms of the number of losses per incident based on the average over the past three years).

(more…)

SC Magazine reported today that the Davidson Companies, a Montana-based financial firm disclosed “one of its databases, containing the names and Social Security numbers of 226,000 current and past clients, was illegally accessed ‘by a third party through a sophisticated network intrusion.’” In response the firm “took its public website offline after learning of the intrusion, hired a security consulting firm to investigate the theft and notified the major credit-reporting bureaus after learning about the incident.”

We keep beating the drum at BreachBytes that enterprises need to have a response and recovery plan in place because Breaches are inevitable.