[Cryptography] cost-watch - the cost of the Target breach

[ianG]

I often point out that our security model thinking is typically informed 
by "stopping all breaches" rather than "doing less damage."  Here's some 
indication of damage.

http://bits.blogs.nytimes.com/2014/12/04/banks-lawsuits-against-target-for-losses-related-to-hacking-can-continue/?smid=tw-nytimestech&seid=auto&_r=0

...
The ruling is one of the first court decisions to clarify the legal 
confusion between retailers and banks in data breaches. In the past, 
banks were often left with the financial burden of a hacking and were 
responsible for replacing stolen cards. The cost of replacing stolen 
cards from Target’s breach alone is roughly $400 million — and the 
Secret Service has estimated that some 1,000 American merchants may have 
suffered from similar attacks.

The Target ruling makes clear that banks have a right to go after 
merchants if they can provide evidence that the merchant may have been 
negligent in securing its systems.
...

At the time of its breach last year, Target had installed a $1.6 million 
advanced breach detection technology from the company FireEye.

But according to several people briefed on its internal investigation 
who spoke on the condition of anonymity, the technology sounded alarms 
that Target did not heed until hackers had already made off with credit 
and debit card information for 40 million customers and personal 
information for 110 million customers.