Page 10 - gs140102
P. 10
News
Target hack noted. Additional damages include class-action lawsuits,
years of federal oversight, civil and possibly criminal
underscores prosecution, not to mention reputational damage and loss of
sales, he said.
importance of Toolkit patented
On Jan. 7, 2013, CSR reported that the U.S. Patent & Trademark
breach reporting Office issued CSR a patent for the CSR Breach Reporting
Toolkit. Federgreen said the toolkit is an automated service
that manages and expedites the reporting process for small
and midsize businesses.
s Target Brands Inc. is finding out – following the
high-profile data breach that occurred at its stores "All of these entities that have, or suspect breaches, have
over the 2013 holiday shopping season − breaches significant reporting requirements in a very short time
A are embarrassing and expensive. Several class- window," Federgreen said. "And it's literally impossible for
action lawsuits have been filed against Target to date. small and middle, and frankly for large companies, to do it
without the aid of large battalions of folks."
On Jan. 7, 2013, a class action was filed in the U.S. District
Court for the District of Oregon at Portland. Among the suit's While large companies can afford to have breach response
claims is that security investigator Brian Krebs reported on teams, smaller businesses don't have that luxury. "The vast
the 40 million bankcard compromise before Target notified majority of companies simply cannot, and they are subject
its customers of the breach. to breaches, if not more of them," Federgreen said. He added
that the extension of breach reporting requirements into the
On Jan. 10, Target raised the number of affected customers realm of suspected breaches only adds to the complexity
to 70 million, and Neiman Marcus admitted it, too, had because "nobody, including the courts, has a uniform
experienced a data breach but did not disclose the number of definition of what that threshold of suspect really means."
affected customers. At the same time, media reports indicated
certain outlet mall retailers also experienced breaches, but Medical data, ACH vulnerabilities
the stores were not named. Federgreen also noted that only 4 to 7 percent of breaches
are bankcard related, while over 90 percent of hacks target
It will be a long, costly process for Target and other retailers other types of personally identifiable information, such as
to ensure that further breaches do not occur and to reassure Social Security and driver's license numbers, dates of birth
a jittery public about shopping at and health records.
affected stores. Forensic investigations
must pinpoint the sources of breaches Medical fraud is the most prevalent
and security vulnerabilities must be It will be a long, costly form, according to Federgreen, with
remedied. fraudsters stealing Medicare numbers
process for Target and collateral data that result in the
Ross Federgreen, founder of data and other retailers to theft of billions of dollars annually.
security firm CSR, pointed to Compared with the electronic
data breach reporting as another ensure that further payment processing infrastructure,
process that can cost compromised breaches do not occur medical information networks are not
retailers a minimum of $10,000. By as secure, he said.
law, businesses must submit breach and to reassure a jittery
notifications to federal, state, local public about shopping One weak point in electronic
and sometimes international agencies. payments is in the area of automated
Following a breach, one of CSR's at affected stores. clearing house (ACH) transactions,
clients had to submit 60 reports. such as check payments. Federgreen
"That's highly atypical," Federgreen said banks' ACH networks are secure
said, adding that three to five reports if not infallible, and the danger lies in
per incident is typically required. security vulnerabilities of ACH payment originators.
According to Federgreen, larger businesses are more diligent For instance, when a consumer sets up a recurring monthly
in reporting breaches than smaller ones. "The vast majority payment at a check cashing business, the check casher puts
of small and middle-sized companies: one, may not even the consumer's bank routing and account number on file
know that breaches have taken place; and two, many times before submitting the debit request to the bank. According to
they sweep them under the carpet," he said. Federgreen, that ACH transaction and routing information
is often not stored by the originator in a secure database,
The consequences of not reporting breaches can be drastic, making it easy to hack, which gives fraudsters ready access
with "very serious dollars" assessed in penalties, Federgreen to bank accounts.
10
Target hack noted. Additional damages include class-action lawsuits,
years of federal oversight, civil and possibly criminal
underscores prosecution, not to mention reputational damage and loss of
sales, he said.
importance of Toolkit patented
On Jan. 7, 2013, CSR reported that the U.S. Patent & Trademark
breach reporting Office issued CSR a patent for the CSR Breach Reporting
Toolkit. Federgreen said the toolkit is an automated service
that manages and expedites the reporting process for small
and midsize businesses.
s Target Brands Inc. is finding out – following the
high-profile data breach that occurred at its stores "All of these entities that have, or suspect breaches, have
over the 2013 holiday shopping season − breaches significant reporting requirements in a very short time
A are embarrassing and expensive. Several class- window," Federgreen said. "And it's literally impossible for
action lawsuits have been filed against Target to date. small and middle, and frankly for large companies, to do it
without the aid of large battalions of folks."
On Jan. 7, 2013, a class action was filed in the U.S. District
Court for the District of Oregon at Portland. Among the suit's While large companies can afford to have breach response
claims is that security investigator Brian Krebs reported on teams, smaller businesses don't have that luxury. "The vast
the 40 million bankcard compromise before Target notified majority of companies simply cannot, and they are subject
its customers of the breach. to breaches, if not more of them," Federgreen said. He added
that the extension of breach reporting requirements into the
On Jan. 10, Target raised the number of affected customers realm of suspected breaches only adds to the complexity
to 70 million, and Neiman Marcus admitted it, too, had because "nobody, including the courts, has a uniform
experienced a data breach but did not disclose the number of definition of what that threshold of suspect really means."
affected customers. At the same time, media reports indicated
certain outlet mall retailers also experienced breaches, but Medical data, ACH vulnerabilities
the stores were not named. Federgreen also noted that only 4 to 7 percent of breaches
are bankcard related, while over 90 percent of hacks target
It will be a long, costly process for Target and other retailers other types of personally identifiable information, such as
to ensure that further breaches do not occur and to reassure Social Security and driver's license numbers, dates of birth
a jittery public about shopping at and health records.
affected stores. Forensic investigations
must pinpoint the sources of breaches Medical fraud is the most prevalent
and security vulnerabilities must be It will be a long, costly form, according to Federgreen, with
remedied. fraudsters stealing Medicare numbers
process for Target and collateral data that result in the
Ross Federgreen, founder of data and other retailers to theft of billions of dollars annually.
security firm CSR, pointed to Compared with the electronic
data breach reporting as another ensure that further payment processing infrastructure,
process that can cost compromised breaches do not occur medical information networks are not
retailers a minimum of $10,000. By as secure, he said.
law, businesses must submit breach and to reassure a jittery
notifications to federal, state, local public about shopping One weak point in electronic
and sometimes international agencies. payments is in the area of automated
Following a breach, one of CSR's at affected stores. clearing house (ACH) transactions,
clients had to submit 60 reports. such as check payments. Federgreen
"That's highly atypical," Federgreen said banks' ACH networks are secure
said, adding that three to five reports if not infallible, and the danger lies in
per incident is typically required. security vulnerabilities of ACH payment originators.
According to Federgreen, larger businesses are more diligent For instance, when a consumer sets up a recurring monthly
in reporting breaches than smaller ones. "The vast majority payment at a check cashing business, the check casher puts
of small and middle-sized companies: one, may not even the consumer's bank routing and account number on file
know that breaches have taken place; and two, many times before submitting the debit request to the bank. According to
they sweep them under the carpet," he said. Federgreen, that ACH transaction and routing information
is often not stored by the originator in a secure database,
The consequences of not reporting breaches can be drastic, making it easy to hack, which gives fraudsters ready access
with "very serious dollars" assessed in penalties, Federgreen to bank accounts.
10
