How To Use Demos

How to use demos

Learn more about usage and features with our collection of demonstrations.

Tag Archives: data breaches

How much did the Target, Home Depot breaches really cost?

2014 was the year of breaches for Target and Home Depot.

Target’s breach costs, of course, were the result of a spillover from the attack that hit during the company’s 2013 fourth quarter. And the year of breaches only got worse when Home Depot got hit in September. Now, both companies have provided full-picture outlooks of just how much the breaches impacted the retailers as they reported on their Q4 earnings this week.

Home Depot reported Tuesday (Feb. 24) and reported that the net expenses of the data breach cost the company roughly $33 million. Home Depot CFO Carol Tomé shared briefly in the call with analysts about how the breach costs break down.

“In the fourth quarter, our gross data breach expenses were approximately $20 million. After estimating our insurance recovery, we recorded approximately $5 million of net data breach related expenses in the quarter. For the year, our gross data breach expenses were approximately $63 million, and after expected insurance recovery our net data breach expenses were approximately $33 million,” she said, later noting that the 2015 guidance for the company did not include any “expenses that we may incur in the future for data breach-related claims.”

As for Target, the company reported yesterday (Feb. 25) that the total breach expenses incurred from its massive data breach amounted to $162 million (2013 and 2014 figures combined). For Target’s fourth quarter, it incurred $4 million worth of breach-related expenses. Full-year net breach expenses were $145 million ($191 million offset by $46 million insurance receivable). As for fourth quarter in 2013, Target’s breach expenses hit $17 million ($61 million offset by $44 million insurance receivable).

“A year ago, we were in the recovery mode, working to repair guest relationships following the data breach while we undertook an assessment of the long-term prospects for our Canadian business,” Target CEO Brian Cornell said in the call with analysts. “Fast forward to today and we’ve ended the year with the data breached fully behind us and that we’ve made tough decision to execute the Canadian business.”

Click here to read the original article on

6 Lessons Learned From This Year’s Data Breaches

According to the Open Security Foundation, three out of 10 of the all-time worst security breaches happened this year. That includes 173 million records from the NYC Taxi & Limousine Commission, 145 million records at Ebay, and 104 million records from the Korea Credit Bureau. And that’s not counting the 1.2 billion user names and passwords reportedly stolen by Russian hackers, or the 220 million records recently discovered stolen from gaming sites in South Korea.

2014 is well on its way to replace 2013 as the highest year on record for exposed records, according to the Open Security Foundation and Richmond, Vir.-based Risk Based Security Inc.If we learn from our mistakes, then this year should be a banner year in security education.

Here are some lessons:

1. It’s time to take staffing seriously

The biggest security hole in information security might not be technical at all.

“Roughly 40 percent of security roles are vacant in 2014,” said Jacob West, CTO of Hewlett Packard’s Enterprise Security Products. “And when you look at senior security roles, that vacancy rate is nearly 49 percent. No matter what technology we use, no matter how we try to secure our systems, if we’re going into this war with almost half of our army unstaffed, we’re going to see our adversaries be successful.”

West was referring to a study published this spring by the Ponemon Institute and sponsored by HP, which also showed that 70 percent of respondents said that their security organizations were understaffed. The chief reason? According to 43 percent of respondents, the organizations weren’t offering competitive salaries.

Companies might want to reconsider their security staffing budgets in the wake of another Ponemon study, sponsored by IBM and published in May, which showed that the average total cost of a data breach increased 15 percent to $3.5 million, and the average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9 percent from $136 in 2013 to $145 in this year’s study.

2. Know your code

Over the past 10 years, many organizations have adopted software security best practices, building in security at a fundamental level.

However, that only applies to code they write themselves.

“One of the big points that was really brought to light this year — and vulnerabilities like Shellshock and Heartbleed really made this point — is that enterprises don’t write the majority of software themselves,” said HP’s West. “Software is in fact composed rather than written. We take commercial components and open source components and build a little bit of proprietary on top of that.”

As a result, some organizations spent weeks – even months – trying to inventory their systems and figure out where they’d used the vulnerable version of SSL.

Organizations need to start with a thorough understanding of what applications they’re using, where and how they’re using them, and their relative importance. Automated scanning systems might help with some of this, but at the end of the day, “the rubber has to hit the road,” West said. “It takes human effort.”

3. Pen tests are lies

Penetration tests are a common part of security audits. In fact, they’re required under the Payment Card Industry Data Security Standard.

“Every single company that’s been breached has had a penetration test report that says that people can’t get in – or if they can get it, it’s not important,” said J.J. Thompson, CEO of Rook Security, a penetration testing company in Indianapolis.

So why aren’t penetration tests exposing potential security holes so that companies can fix them?

“It’s very simple,” said Thompson. “Penetration test reports are generally lies.”

Or, to be less blunt, penetration testers are more constrained in what they can and cannot do, compared to actual hackers.

“You can’t impersonate someone because that’s not how we do things here,” Thompson said. “You can’t set up a phishing site associated with a Facebook profile because that’s going too far.”

Actual hackers – who are already breaking the law anyway, by hacking into a company – might not be averse to breaking other laws, as well. A white hat security firm might be less willing to, say, get into a company by going after the systems of its customers or vendors. Or impersonate government officials, or damage equipment, or hijack actual social media accounts owned by friends or family members of company employees.

4. Physical security, meet cybersecurity

Agents of a foreign group recently went after an organization on the East Coast, circumventing firewalls, extracting data on its leadership, and getting information about upcoming events – and the facilities where those events would be taking place.

“Authorities believed it was part of the pre-operational planning of the group,” said John Cohen, who until recently was the anti-terrorism coordinator and acting undersecretary for intelligence and analysis at the Department of Homeland Security.

“There’s a blending together of physical security and cybersecurity,” said Cohen, who is now the chief strategy adviser at Frisco, Texas-based security vendor Encryptics LLC.

It can go the other way, too, with a physical break-in opening the way to digital theft via compromised equipment.

Enterprise security must become more holistic. The thieves who broke into a field office could have been looking for easy-to-fence electronics, or they could have been planting keyloggers.

5. Plan for failure, Part 1

“The way that I look at it, and the people I talk to on a day to day basis look at it, there’s a switch in mentality,” said Scott Barlow, the chair of the CompTIA’s IT Security Community and vice president of product management at Boston’s Reflexion Networks, Inc. “Businesses are assuming that their data will be exposed, or is already exposed, and they’re taking steps.”

Those steps include encrypting data on employee desktops, in file servers, even email.

And a process called tokenization replaces bank card numbers with randomly generated codes, or tokens, even before they leave point of sale devices. Only the payment processor knows the real numbers – the retailers get tokens, which are completely worthless to any hackers who break into their systems.

That turns the payment processors into targets – but then, they always have been.

“Guys are already going after us,” said Paul Kleinschnitz, senior vice president and general manager of Cyber-security Solutions for FirstData, which accounts for about 40 percent of the payment processing in the U.S.

Meanwhile, the Targets and the Home Depots will be insulated from the risk of losing the payment data.

“We are pulling that burden away form the merchants and managing it,” Kleinschnitz said.

6. Plan for failure, Part 2

If JP Morgan can be breached, every company is vulnerable.

“Even if you have the best security in place, there’s still a chance that you may be breached,” said Peter Toren, an attorney specializing in computer crimes at Washington D.C. law firm Weisbrod Matteis & Copley. Toren was also a federal prosecutor for eight years, in the Justice Department’s computer crimes division.

How a company reacts to that breach can make a big difference.

Both Target’s CEO and CIO lost their jobs this spring as a result of the problems the company had in dealing with the consequences of its 40 million payment card accounts breach late last year.

“It came out in drips,” said Toren. “It was the death of a thousand cuts.”

Companies need to be prepared to deal with a breach transparently and promptly – and preparations have to start long before a breach ever happens.

“They need to have a plan in place and work with a public relations firm beforehand,” he said. “Not just bring one in after the horse is out of the barn.”

This story originally appeared on

data breaches

Russian Hackers Made $2.5B Over the Last 12 Months

The Russian hacking industry brought in $2.5 billion between mid 2013 and mid 2014, thanks in large part to the Target breach, according to a report released by Group-IB.

ATM hacks are on the rise. Spamming still pays well. New criminal groups are hitting the scene, specializing in mobile threats. And POS attacks will only get worse, because they can deliver data that’s 10 times more profitable than your average plaintext credit card number.

Also, while financial fraud is still a big earner — accounting for $426 million — it’s being surpassed by the simple buying and selling of credit card data. The carding business brought in $680 million.

All of this is evidence of the growing sophistication of the Russian cybercrime industry. (Group-IB defines this as “the market of computer crimes committed by Russian citizens, by citizens of the [countries in the Commonwealth of the Independent States, created when the Soviet Union was dissolved] and the Baltic states, as well as by citizens of other countries from the former Soviet Union.”) As the report describes it:

The market for stolen credit card data in the last 10 years has finally been structured and now features mass automated distribution channels in the form of electronic trading platforms.

Click here to read the full story.

data breaches

Is the Fallout from Data Breaches Increasing EMV Commitment?

You’d be hard pressed not to notice the increasing number of data breaches in the business papers today. Whether it’s a giant retail store or a healthcare organization, companies are scrambling (unfortunately, after the fact) to ensure their processes and systems are secure.

In a recent article by Digital Transaction magazine, it stated that the recent data breaches have spurred debit card issuers into action, a group that once was reserved around EMV adoption.  The article goes on to state that 67% of debit issuers now plan to offer EMV cards in 2015.

And while these PIN and Chip cards offer more security than magnetic strip cards, is EMV the ultimate answer to ensure a breach doesn’t occur in your organization?

The short answer is no. While they are part of an overall data security strategy, protecting cardholder data is not an easy, one-stop fix. Technology exists beyond encryption to ensure cardholder data never touches your ERP system, legacy applications and web stores.

It’s called tokenization and not all tokenization is created equal. Make sure when looking at solution providers that offer this technology that it can easily integrate with your existing processors, saving you time and money.

EMV is here to stay, but it’s not the final word in data security.


Thank you for visiting our site, due to the size of your mobile device, you need to rotate it 90° to view this site.