[Cryptography] cost-watch - the cost of the Target breach

Phillip Hallam-Baker phill at hallambaker.com
Fri Dec 5 18:46:00 EST 2014

On Fri, Dec 5, 2014 at 11:14 AM, ianG <iang at iang.org> wrote:

> I often point out that our security model thinking is typically informed
> by "stopping all breaches" rather than "doing less damage."  Here's some
> indication of damage.
> http://bits.blogs.nytimes.com/2014/12/04/banks-lawsuits-
> against-target-for-losses-related-to-hacking-can-
> continue/?smid=tw-nytimestech&seid=auto&_r=0
> ...
> The ruling is one of the first court decisions to clarify the legal
> confusion between retailers and banks in data breaches. In the past, banks
> were often left with the financial burden of a hacking and were responsible
> for replacing stolen cards. The cost of replacing stolen cards from
> Target’s breach alone is roughly $400 million — and the Secret Service has
> estimated that some 1,000 American merchants may have suffered from similar
> attacks.
> The Target ruling makes clear that banks have a right to go after
> merchants if they can provide evidence that the merchant may have been
> negligent in securing its systems.
> ...
> At the time of its breach last year, Target had installed a $1.6 million
> advanced breach detection technology from the company FireEye.
> But according to several people briefed on its internal investigation who
> spoke on the condition of anonymity, the technology sounded alarms that
> Target did not heed until hackers had already made off with credit and
> debit card information for 40 million customers and personal information
> for 110 million customers.

This suggests that it is Target's responsibility to maintain the security
of the card payment system rather than the banks

I do not agree. The banks have had ten years to deploy chip and pin which
would eliminate the breach. That was pure negligence on their part. Target
should not be held responsible when the banks decided that it would be
cheapest for them to not bother with card security.

This has worked out fine for the banks for as long as they have been able
to achieve cost shifting for the inevitable breaches. But they are the
party that is best placed to mitigate this risk so why should they be able
to recoup their losses from someone else?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141205/0daecfe6/attachment.html>

More information about the cryptography mailing list