Not Obvious

Intended to be Interesting, Intriguing & Insightful. Most Likely Mundane.
 

HHS Breach Data In Google Docs

I pulled out the (to me) relevant fields of the HHS "Breaches Affecting 500 or More Individuals" from the HHS breach site and posted it to Google Docs in the event folks would like to work with more structured data. I removed the institution and normalized it to State-level and removed the "associated party" field.

If folks want the other fields, I'll add them. Just ping me.

 

Loading mentions Retweet
Filed under  //   breach   data loss   data protection   health care   information security   medical records   records   security  
Posted June 24, 2010 by boB Rudis 
// 0 Comments
 

The Bell Finally (But Softly) Tolls For Heartland

According to Computerworld, Heartland Payment Systems must pony-up $3.6 million (USD) to American Express as part of the settlement for the massive data breach in 2008. Over 130 million credit card numbers were pilfered from Heartland by a small gang of miscreants through a simple SQL injection attack. The breach even has it's own web site.

Heartland has also agreed to a settlement of all the consumer class action lawsuits. They have agreed to pay a minimum of $1 million and up to a maximum of $2.4 million to class members who submit valid claims for losses as a result of the intrusion. They have also agreed to pay the court costs and attorneys' fees, which total ~$2.25 million.

Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they have set aside to handle the one-time costs is a drop in the bucket compared $1.5 billion in 2008 revenue and does not really even skim much off the top of the $161 million in profits from that same year (the numbers for 2009 look to be tracking the same). It is almost a guarantee that any member of the class action who submits a claim will see many years of scrutiny before receiving any payment, something which Heartland can factor into their yearly financial plans (and accommodate for by increasing fees).

Given the gross negligence that created the vector for the breach, this seems like a paltry sum - especially in the context of the revenue Heartland takes in. Is this fine really enough to "encourage" Heartland to put in a comprehensive, enterprise-wide program of secure code development and infrastructure/application vulnerability management? That takes smart people, good software, some hardware and - if they are smart - solid third party partners to ensure a viable program. A scary fact is that, despite the notification of the breach in January of 2009, they have yet to disclose their plans for remediation. One would assume they have done something in the interim, since they passed Visa's PCI DSS tests in May, but we should not forget that they had been passing those tests prior to the breach. We can hope that the ROSI is sufficient enough for Heartland executives to build a better security program vs budgeting $12 million a year for fines.

Loading mentions Retweet
Filed under  //   breach   compliance   data breach   heartland   PCI   PCI DSS  
Posted December 21, 2009 by boB Rudis 
// 0 Comments