Data Breaches in the News: Is Your Company Next?

target data breach photo by http://www.flickr.com/photos/senatormccaskill/

Fraud Expert Dan Draz Explains the Data Breach Du Jour

First Target, now Neiman Marcus. It seems major retailers are being targeted for data breaches. Is this a major fraud event, or just another in a long line of data breaches past, present, and future?

Fraud Solutions principal Dan Draz weighs in on CommPRO.biz, explaining just how bad it could be and how data breaches have an impact on both consumers and companies. Dan also shares valuable tips for protecting your company from fraud including data breaches:

Everywhere I go lately I hear bits and pieces of conversations about credit cards and invariably the conversation turns towards “Target.” Target is the “data breach victim ‘du jour’” but isn’t the first company whose experienced a data breach and they certainly won’t be the last with hundreds reported every year. So, the worst is definitely not over.

Case in point, we now know that another retailer, Neiman Marcus, also incurred a data breach in December. The timing of these two incidents suggests they were perpetrated by the same organized crime ring, is more than a coincidence, and that we should expect more bad news in the near term suggesting other retailers were also victimized. So, what’s the extent of these breaches?

The Extent of the Iceberg

The extent is still coming to light but when analyzing fraud or data breach incidents, one thing’s certain: incidents are always significantly worse than the evidence initially uncovered by the breached entity. This is what we refer to as the “Iceberg Theory.” A ship sailing in the ocean sees an iceberg floating on the surface. However, what the ship sees is only the top 20%. There is, however, 80% more to the iceberg underwater than visible to the human eye.

Historically, this same principle holds true with data breaches as well. So, when Target initially disclosed that 40 million records had been compromised, historical anti-fraud evidence suggested that the “hammer was about to drop” with added details and this week it did.

On January 10th, 2014, Target released this information:

“As part of Target’s ongoing forensic investigation, it has been determined that certain guest information — separate from the payment card data previously disclosed — was taken during the data breach. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.” 

So, in addition to the 40 million credit card numbers compromised, 70 million independent records containing consumer data were actually compromised and these records are enough for organized crime rings to commit other frauds. To be clear, the percentage increase was not 40 million to 70 million records but 40 million to 110 million records compromised. That’s a 175% increase off the information originally reported by Target. Perhaps more importantly, it did not take long for the compromised data to hit the “black market” for resale according to industry sources like Brian Krebs, noted security reporter and author of Krebsonsecurity.com.

Read the full post on CommPRO.biz.