Thursday, May 14, 2009

How Data Breaches Screw Everybody

I've written extensively about data breaches, such as the postings here, here and here. Quantifying the costs associated with breaches can be troublesome, since many of the dollars associated with the incident are often far downstream from the source of the original incident.

Case in point - the Heartland breach, pointed out by Brian Krebs in his Security Fix blog. As it turns out, Angie's List started dropping subscribers left and right and they couldn't get their arms around the reason.

As it so happens, many of the drops were caused because customers who had their credit card numbers exposed in the massive Heartland breach were issued new credit cards (and account numbers) by their issuing banks, and the old numbers that were tied to their Angie's List accounts were no longer valid.

When Angie's List used their normal subscription auto-renewal processes for those customers, they obviously attempted to bill now-invalidated accounts, so the renewal was not successful, and those subscribers lost access.

Some would say that if people really cared about this, they would have paid attention when their card was reissued and would have updated their account info with Angie's List. That's a load of beetle dung. My time has a value, and if I have twenty merchants or online subscriptions that are linked to one of my cards, updating that info manually at each location becomes quite the effort, especially since the need for this activity can be directly attributed to a failure by Heartland to keep my personal information safe and secure.

In cases such as these, other merchants and companies can suffer significant financial losses from a breach caused by a firm with whom they have absolutely no relationship. If I was a class-action attorney, I'd be rounding up my list of clients from the thousands of consumers and merchants impacted by the need for 600 banks to cancel and reissue credit cards resultant from the Heartland breach.

As you've heard me preach again and again, firms will not get serious about protecting customer information until the cost of breaches and penalties far exceeds the cost of implementing robust data protection and anti-breach programs. Until then, keep a good list of all the places where your credit card number may be stored online, if you're silly enough to do that.

I have a feeling you're going to be manually updating that information frequently.

Security Fix - Heartland Breach Blamed for Failed Membership Renewals

No comments:

Post a Comment

Please tell me what you think.