As we continue to dissect the massive data breach at Target, we’re going to learn lots of lessons. But probably the biggest lesson you can take away from it is that if it can happen to Target, it can certainly happen to you. Even if it’s on a much smaller scale, it could still be big enough to matter to you.
With more than 360,000 employees, Target’s annual IT security budget is probably in the hundreds of millions of dollars. Yet in spite of that investment, and despite having the very best security money can buy and thousands of dedicated security professionals working around the clock, the company still managed to fall victim to one of the most devastating attacks in history.
And apart from the hit the company will take on its reputation and brand, security experts expect that the cost of just responding to the data breach could be huge. According to the Ponemom Institute, the average cost of a data breach now works out to around $188 for every record exposed. That includes the costs of investigations, incident response, free credit monitoring for customers if needed, and the loss of customers.
At more than 40 million records exposed, Target’s final bill could easily reach into the billions of dollars. And that won’t include the cost of lawsuits, fines and other penalties. Within a week of the announcement of the breach, at least three class-action lawsuits had already been announced. And also in less than a week after announcing the breach Target revealed that customer traffic had fallen almost 4% compared to this time last year – in spite of being the busiest shopping time of the year.
It’s also worth remembering that while many breached companies claim that there’s no evidence the stolen data has been used to steal the identities of victims, research suggests otherwise. A company called Javelin Strategy and Research claims that one out of every four consumers who receive a notice that they’ve been a victim of a data breach will become a victim of identity theft.
And within 24 hours of the announcement of the target breach, security experts like myself were already seeing hackers selling stolen target credit cards for up to a $100 per card.
In fact, experts are saying that there is now so much stolen information available on these underground card forums – hundreds of millions of record – that the prices are being driven down. For example:
• A U.S. Visa, MasterCard, American Express, and Discover card will run between $4 and $8.
• Data from the magnet stripes on those cards fetches around $12. That stripe can include cardholder information, expiration data, and valuable security information.
• A “Fullz” or complete dossier on an individual costs around $25. That dossier can include name, address, phone numbers, email addresses (with passwords), date of birth, SSN or Employee ID Number (EIN), bank account information (account & routing numbers, account type), online banking credentials (varying degrees of completeness), or credit card information.
• A date of birth costs just $11.
• Want to infect computers with data-stealing malware? That will cost you around $20 for 1,000 computers and $250 to infect 15,000 computers.
• Need someone to develop a Trojan to plant on those infected computers? That can cost as little as $50.
• Looking to hack into someone else’s website or steal their data? Hire a hacker to do the job for as little as $100.
• And if you want a bank account that has anywhere between $75,000 and $150,000 on deposit, you can have all bank account details, including routing number and password, for less than $300.
As we continue to watch the fallout from the Target breach, we’ll also be looking for more insights and lessons to share. And maybe that’s the only good news – that every major breach provides free lessons for smaller firms who want to avoid becoming even a tiny version of such a major security incident.