According to securityweek.com and nytimes.com, the Stratfor hack by AntiSec resulted in losses of $2,000,000 to the company. Another $700,000 of unauthorized charges were made on customers’ credit cards. You’ll recall that Stratfor admitted to not using data encryption when storing customer’s credit card information.
I’ve covered the Stratfor hack previously:
As Steve Ragan notes over at securityweek.com, it’s very rare to come across actual financial stats when it comes to data breaches, especially when it involves credit cards. Certainly, there are the annual surveys and reports that give us a consolidated range; however, it’s uncommon to find a specific figure attached to a particular case. Ragan gives us the TJX breach as “the other” case where details were revealed.
So far, Stratfor has spent $2 million cleaning up the AntiSec hack, a figure which includes business lost after the hack, credit monitoring, etc. As previously noted, they’re also being sued for $50 million by their clients. It’s unknown whether the costs associated with mounting a defense to the lawsuit has also been included in the above figure, although what little I remember about accounting points toward this not being the case.
It was also revealed that the 60,000 or so credit cards that were stolen ended up in fraudulent charges of $700,000, although the FBI has noted that this “does not reflect any of the charges that may have been incurred on cards associated with the Stratfor Hack for which records have not yet been reviewed,” implying that the numbers could go up.
Data Encryption – Most Excellent Way to Protect Data
I’ve already noted in a previous post that PCI-DSS requires credit card to be protected with encryption if the data is stored. The best policy is not to store the data at all. The worst is to not encrypt it. (Actually, the worst is not to encrypt the data and to also store CVV data, the later being prohibited under PCI — encryption or no encryption.)
Why does PCI-DSS require the use of encryption? I don’t work for the PCI Security Standards Council, so I’m merely guessing, but I imagine it’s because cryptographic data encryption tools work really well when it comes to safeguarding digital data. They have shown to protect military transmissions, credit card data transmissions, online banking sessions, and any other type of information where the situation requires that the flow of digital data be secure.