Home | Login      
When will they learn? 2 more data breaches.
 

The hits just keep coming, sorry Ė watching the Phillies vs. the Padres, Iím getting a little punchy, but I had to finish this post.

Two more companies recently informed New Hampshireís Attorney General that it had experienced a data breach.

  1. Online retailer Batteries.com said in a letter to New Hampshire's Attorney General on May 18 that hackers breached its server in February, stealing names, addresses and credit card information. Some customers whose data was stolen have reported unauthorized use of their credit card accounts, the company said.
  1. Financial services and insurance provider Aviva USA (formerly Norwich Union), reported that a malware breach may have exposed the names, addresses and Social Security numbers of about 550 U.S. accountholders and beneficiaries.

In a previous post I referenced the cost associated with these kinds of breaches and suggested those considering whether to deploy database security to ďdo the math.Ē In the case of Batteries.com, a forensic review indicates that a single hacked server contained information pertaining to approximately 865 New Hampshire residents. Just for argument sake, assume the cost to protect this server was $10,000. Some one at the company determined that this was an unnecessary expense, and that not protecting the database server was an acceptable risk.

Whatís the penalty to be paid for that decision? Batteries.com will be notifying those whose information was hacked, all 865 New Hampshire residents. I assume the breach compromised the PII of individuals in other states as well, but letís confine the cost estimate to those we know about.

  • Forrester cites the cost per record of data theft at $305.00. Using this figure the cost to Batteries.com is $263,825.00.
  • Batteries.com has also arranged to provide all affected individuals with two years of credit monitoring and identity theft insurance at the company's expense. Again, letís be conservative and assume that the company negotiated a deal that allows it to offer the service for $30.00 per victim. The additional cost would be $25,950.00.
  • Further, Batteries.com has established a call center to support those seeking assistance and created a web site that explains the incident and offers information about privacy and credit protection services. This will run the company $200,000.00 at a minimum.

You get the point. We havenít even thought about brand damage or litigation. Nor have we identified the costs associated with other victims.

The lesson to be learned is that every database server is a target. It doesnít matter how big your company is. If your storing PII in a database, and the server is on a network, youíre playing with fire if you donít protect it.

 

Share this blog topic
Add to Digg it   Add to Twitter   Add to StumbleUpon   Add to Del.Icio.us   Add to Facebook   Add to Technorati   Add to Reddit   Add to YahooMyWeb   Add to Google bookmarks


Comments
 
Mike DBA at SoftTree customer said:
Bryan, Nice to finally see a BLOG. Great post. Please aks Dmitriy to contribute more content. I enjoy reading your posts, but Dmitriy is briliant. He's a DBAs DBA. FYI, It really doesn't take much to sell management on the risk mitigation benefits of DB Audit. I use the product to protect 9 database servers. Our cost to do that was less than the $10K figure you cited, but I understand why you choose a higher number. Thanks for making a great product.
 

  This blog article is locked. New comments are not accepted.
 
 
?>