Thursday, November 29, 2007

Costs of Security Breach - New Study

We've discussed here the loss of 46 million customer data records at TJ Maxx. The company is currently facing liability suits related to this event that seems to have been executed by hacking into an individual store's wireless network, and accessing customer credit card data that was not being properly stored. Information Week ran a story in August pointing to a whopping $135 million in charges the company had to take as a result.

Combined with Gordon Brown's recent mea culpa on behalf of the British government, security is certainly at the top of mind of anyone who is paying attention.

Annual Survey of Data Breach Costs

The third in a series of annual surveys on the costs of security breaches was just published by Vontu, Inc. (registration required) , in conjunction with PGP Corporation and the Ponemon institute.

The study's findings were very interesting, especially for the payment processing wonks here at Mpayy, where customer data security will be our highest priority.

The study looked at 35 organizations who lost between 4,000 and 125,000 records. So the TJ Maxx scenario is clearly far and beyond the impacts studied here.


  • Total Costs per Record Lost - The eye-popping number is $197/record on average including direct and indirect costs, an increase of 8% year over year and 43% vs. 2005.

  • Most Costs are thru Lost Business - The TJ Maxx numbers come from the company's SEC filings, but the Vontu study shows this doesn't come close to grabbing the full impact. The annual study found that abnormally high churn rates of customers plus lowering growth rates of new customers compound the impact of the data breach. $128 of the $197 in losses comes from this.




  • Sources of Data Losses - Even more interesting is the fact that only 5% of customer data losses come from hacked data systems. On the contrary, almost half is related to unencrypted data left around on employees' machines in the taxicabs, coffee shops and bars of the country.




Mpayy Secures the Day

Mpayy will not only use 128-bit TDES, but all customer data will be stored server-side ensuring that customer banking information is secure. Mpayy assumes 100% of the fraud liability of its merchant partners. This will limit these potential costs for merchant, including the direct operating costs of up to 150 basis points of anti-fraud fees charged by credit card companies to merchants in the Card Not Present market.

add to del.icio.us saved by 0 users
Posted by Trace Johnson at 2:26 PM
Labels: , , , , , , , ,
Technorati: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)