Companies, beware! Data breaches do cost a lot if you’re operating in the US. A recent study conducted by the Ponemon Institute shows that a data breach occuring in the US could cost twice as much as a similar incident from a different country with less stringent disclosure and notification laws. Yet the US is not alone in this, as all countries that have strict rules related to data security and what should be done in case of a breach makes the total cost go up.
After comparing data breach costs in five countries, the United States, the United Kingdom, Germany, France, and Australia, the study concluded that in the U.S., due to the fact that 46 states have introduced laws that require organizations to publicly disclose the details of breach incidents, the cost per lost record was 43% higher than the global average. The second most expensive country is Germany with a cost per lost record 25% higher than the worldwide average. Australia, France, and the U.K. have no data breach notification laws thus the costs were all below the average.
“A big reason for [the high cost of churn in the U.S.] is that U.S. companies are required to notify customers of their breaches, even if they only suspect that the customers’ records might be affected,” Ponemon says. “That sort of notification doesn’t happen anywhere else in the world.” Notification accounts for $500,000 of the $6.75 million that the average U.S. company spends on a breach, according to the study; the average French company spends only $120,000 on notification.
The Ponemon study breaks breach costs into five components: detection, escalation, notification, post-breach response, and customer churn (losing customers after the breach and replacing them with new ones). Of the five components, customer churn is the highest cost, accounting for 44% of breach costs worldwide.
In a new incident proving – as if more evidence was needed – that one of the biggest data security threats comes from the inside, an administrative tech of the Texas Child Protective Services in Houston decided to steal data on potential foster care and adoptive parents and use it to apply for credit cards. Together with an outside accomplice, they had used the stolen information to apply for said credit cards at various stores.
Luckily enough, the credit card issuers noticed some discrepancy in the way formed were filled out and the two were discovered and arrested after stealing data on only 70 individuals. The two accomplices charged with fraudulent possession of identifying information could face up to 10 years in prison and a 10,000 US dollar fine. Not quite worth it for some extra stolen cash that probably never came through.
As of now it is unclear if any of their identity theft attempts was successful. We do hope they have failed miserably.
While we worry about security flaws and poor company policies that could lead to our data being exposed to all that’s worst in the IT world, theft and fraud, we might be overlooking one important aspect that could very well harm us: the companies that just couldn’t care less about what happens to our data!
Think of this scenario: company XYZ decides business used to be way better years ago and it’s time to cut their losses and close their doors. Over the years, they have collected interesting private details from their customers which need to be disposed of somehow. No, they won’t just delete it from their computers, cause it’s kind of printed on paper. So why go to the trouble of shoving the paper trails down a shredder when they could just dump it at the nearby garbage bin?
This was the case of a Hollywood Video store in the Baring Village Shopping Center. Like many others in their chain, they had to be closed. So they took hundreds of filled out membership forms and threw them in the garbage bin in the back. Unknowing customers were thus exposed to ID theft and fraud. Most forms cotained names, addresses, birthdates, ID numbers and signatures, but some of them also contained credit card details.
Luckily enough, some of the forms were found and returned to those who submitted them, while the rest will soon be destroyed by the local police. The question is who to blame in such a case? Former employees or the company? I’d say both and home some action is taken against them.
One year after the Conficker botnet was front-page news around the world it is still controlling approximately 6 million PCs around the world. IT Security Experts describe it like a loaded gun that can go off anytime if it is not stopped.
The Conficker worm has distributed itself throughout and across networks on portable storage devices and continues to do so on unprotected PCs.
Now the U.S. Department of Homeland Security is preparing a report looking at the worldwide effort to keep it in check.
“We said, ‘This was a very good example of the private sector, globally, working together to try to solve a cybersecurity attack, so let’s fund the creation of a lessons-learned report to just document what worked, what didn’t work,'” said Douglas Maughan, a program manager with the Department of Homeland Security’s Science & Technology Directorate.
The report could provide a template for future cyber-responses, security experts say.
Conficker began spreading in November 2008, infecting computers via a variety of means, including an attack exploiting a known flaw in Microsoft Windows.
Though it is still thought to control between 4 million and 7 million computers, Conficker was only briefly put to use, in April 2009. It’s as if the massive amount of scrutiny it generated eventually frightened away its creators — a good thing, since it controls enough computers to create a withering distributed denial-of-service attack.
Full Story on Computerworld