5 Most Expensive Data Breaches – so far

May 10, 2011 | Author Wilson B. (Sonny) Snipes

Wikipedia defines “a data breach is the intentional or unintentional release of secure information to an untrusted environment.”  In another area, Wikipedia defines data breach as “”a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.”

Other terms include unintentional information disclosure, data leak, data spill, or just plain old data theft.

The Christian Science Monitor has recently compiled the five most expensive data breaches or data theft  as follows:

5. US Veterans Affairs – $25-$30 million – the names, birth dates, and Social Security numbers of 17.5 million military veterans and personnel were stolen in 2006 from a laptop that a Department of Veterans Affairs employee had taken home. The costs to the VA included money for running call centers, sending out mailings, and paying for a year of a credit-monitoring service for victims. The Ponemon Institute, a research organization in Traverse City, Mich., estimates the breach cost at least $25 million.

4. Heartland Payment Systems – $140 million – Heartland Payment Systems, a payment processor based in Princeton, N.J., was the victim of a major cyber attack in 2008.  Criminals installed spying software on the company’s computer network and stole the numbers of as many as 100 million credit and debit cards. Albert Gonzales, a hacker from
Miami, was accused of playing a critical role in the Heartland hack, as well as other massive data breaches of companies including retailer TJX, 7-Eleven, Inc., and the grocery chain Hannaford Bros. Co. Inc. In 2010, Gonzales was sentenced to 20 years in federal prison. The company paid about $140 million in fines and settlements but recovered tens of millions through insurance, Business Insurance reports.

3. TJX – $256 million or more - the Framingham, Mass., retailer that owns national chains including TJ Maxx and Marshalls, estimated that a 2007 data breach would cost the company about $25 million. But in the end, the total cost was at least 10 times as high.

Cyber criminals took more than 45 million credit and debit card numbers, some of which were used later to buy millions of dollars in electronics from Wal-Mart and elsewhere. Mr. Gonzales, who played a major role in the Heartland hack, was linked to this cyber attack as well.

2. and 1. The surprise - who would have thought that the most expensive would be a tie?  I would have bet money that the most expensive would have been a large financial institution, or money changer.  Nope, turns out the tie is between an entertainment company and an advertising company.

Epsilon – to be determined – in March 2011, hackers stole millions of names and e-mail addresses from the Dallas-based marketing firm. Epsilon handles e-mail lists for major retailers
and banks like Best Buy, JPMorgan, TiVo, Walgreen, and Kroger. A study by CyberFactors, a cyber risk analytics company, estimates that the breach could cost between $225 million and $4 billion, depending on what happens with the stolen data, Business Wire reports. Mr. Ponemon offers a lower estimate: at least $100 million, with most of the lost costs going toward losing customers due to a damaged reputation. Ponemon says that because the stolen data was e-mail information, the costs won’t be as high as if financial information had
been stolen.

Sony – to be determined – the Sony data breach, which exposed information from more than 100 million user accounts in April, could prove to be the mostly costly data breach of all time. Hackers obtained personal information, including credit, debit, and bank account numbers in some instances, of PlayStation Network users and Sony Online Entertainment users. After discovering there had been a breach, Sony shut down both networks temporarily. Ponemon estimates that the breach could cost Sony and credit card issuers up to a total of $2 billion.

Relative to their overall revenues and assets, the loses here are big, yet not staggering.  Nobody went out of business.  The thought to ponder is “what would it cost my company were we to lose sensitive information?”  We’ll discuss those loses in another blog.

1 Comment »

Top Ten Reasons to Deploy DataExpress in Texas Government

May 6, 2011 | Author Wilson B. (Sonny) Snipes

Top Ten Reasons to Deploy DataExpress in Texas Government

10. DataExpress is on the approved DIR list

  • You can “try” before you “buy”

  • We can assist you in building evaluation criteria

  • No need to go for bids

  • Services specific to Managed File Transfer are available

9. MFT is part of the State and National plan

  • According to the 2010-2014 State Strategic Plan for Information Resources Management the #1 challenge is:
    • Secure IT Resources

    • Enhance Capabilities of the Shared Infrastructure (Strategy 1.1)

    • Leverage Shared Applications (Strategy 1.2)

    • Leverage the State’s Purchasing Power (Strategy 1.3)

    • DataExpress addresses each of these initiatives

  • MeriTalk, a government IT provider, reports in a May 10th 2010 report that when transferring data, Federal Agencies use unsafe methods to move data:
    • 66% moves by physical media (tapes, CDs, DVDs, USB drives, etc.)

    • 60% moves using FTP

    • 52% is transferred via personal e-mail accounts

    • Records lost due to a security breach cost $2.40 per record (Verizon/US Secret Service) (Texas estimates are much higher)

  • The Secure Federal File Sharing Act, (March 24, 2009):
    • Prevents Government employees from using peer-to-peer file-sharing software, including FTP

  • January 2005 – August 2009:
    • 105 incidents were reported in the public media

    • Involved privacy data from Texas-based organizations

    • 43 of which were government-related

    • universities, cities, counties, and state agencies

    • Exposed more than 3 million individual records

    • Represents more than 12% of the state’s population

    • Cost estimated at $202 per exposed record

8. Free FTP isn’t really free and potentially introduces significant risk

  • It’s true every operating system comes with FTP, however:
    • Additional work is required to add security

    • SSL/SSH security is difficult to attain

    • No roles management is included

    • Requires server IDs and passwords

    • Lots of confusion with client/server modes

    • Requires manual configurations outside of the FTP server

    • Audit trails are difficult to understand

7. Removes the need for script writing and developing code

  • DIY implementations almost always require script writing

  • Requires code for interfacing to other applications

  • With DataExpress:
    • All components for transmitting/collecting, packing/unpacking, encrypting/decrypting are part of the product

    • File communications are built-in using common-sense workflow processes that don’t require scripting

    • Features that allow coupling with external applications are available and robust

6. Using DataExpress is much easier than “DIY MFT”, and lets us provide evolving standards

  • Designing your own multi-featured MFT solution is challenging

  • Important considerations – like security, reliability and auditing – are not adequately addressed

  • Time to develop, test and deploy is significant

  • Usually single use solutions

  • Difficult to embrace changing policies

  • Usually ignores DR and high availability

  • With DataExpress

  • DR and hot-spare capabilities are built-in

  • New protocols, packaging, and compression features are added as they become standard

  • Scalable as demand increases

5. Works in multiple environments

  • Windows Servers

  • Linux/Unix

  • OS/390 (Z/Linux)

  • Solaris

  • Minimal reconfiguration required if changing platforms

  • Virtual environments supported

  • Allows secure DMZ deployments with Secure Gateway option in all environments

4. Everything contained within one framework

  • Security-aware and managed within DataExpress

  • Robust audit trails are included

  • Job-orientated without requiring scripts or code

  • Success and failure notification are standard

  • Calendars and scheduling are base functions

  • Conditional and branch processing functionality

  • Browser-based user interface

  • Auto-expiration of User IDs

  • Auto-expiration of files

3. Unparalleled support in solving problems

  • Do-it-yourself solutions require do-it-yourself support

  • Due to the products wide distribution, we have probably already solved any problem you are likely to encounter.

  • No file transfer protocol is “standard” – we have already developed protocol properties to meet the need to communicate with non-standard clients

  • 7 x 24 x 365 support available

  • Wiki’s and blogs available

  • Online problem reporting and tracking

2. Security, management and auditing already built-in

  • Roles-based user and operator management

  • Robust audit trails showing all communication events

  • All communication events are recorded in a database enabling reporting to summarization and detailed levels

  • Near-real-time monitoring

  • Relationship among jobs, files, people, and locations are enforced through roles-based relationships

1. Proven solution, works already, provides peace of mind

  • DataExpress successfully delivers and collects hundreds of thousands of files daily for our customers

  • Some of the largest financial institutions in the world use DataExpress to ensure successful Secure MFT

  • These files represent billions of dollars; and have significant penalties if SLA terms aren’t met

  • DataExpress is completely scalable to any size organization

  • Built-in active recovery and planned DR deployments

  • 7 by 24 by 365 expert support available

No Comments »

Administering DataExpress

February 7, 2011 | Author Wilson B. (Sonny) Snipes

In planning for and building the requirements for the DataExpress we conferred with many of our major customers. As a result of those conversations, DMB established that a DataExpress administrator’s time is broken down as follows:

  •  50% general infrastructure knowledge: server Operating Systems administration, networks, file management, internal policy requirements, script writing, and firewall negotiation
  • 45% managing relationships and procedures with clients and internal business units, managing file transfer processes, service level management, set up, minor problem resolution, audit reconciliation, solving communication issues with remote sites
  • 5% managing DataExpress, severity 1 issues, user roles, software installation (updates, initial configuration)

 In a non‐managed file transfer environment, all of the tasks performed can be considered to be in the general infrastructure knowledge category. This usually requires one or more highly skilled system administrators to organize and manage the file transfer environment. This mode of operation usually results in custom scripts, poorly documented processes and procedures, limited scalability, and nearly no continuity, all translating to potential risk and end user frustration.

Also, time and time again, we have seen system administrators with hard earned, expensive institutional knowledge leave or change jobs. More risk and more frustration. Moving to a centrally managed file transfer system alleviates issues that arise when system administrators with hard earned, expensive institutional knowledge leave or change jobs. Implementing DataExpress technology provides a standardized solution where policy and procedure (implying compliance to mandates,) are documented, implemented, and audited within a defined area. This is far superior to attempting to enforce policy distributed to a number of discrete (usually undocumented and not inventoried) throughout the infrastructure. Often these types of implementation lead to missed compliance and risk – while at the same time are far more expensive to build and maintain.

 If your experience is different from our understanding, we’d like to hear about it.

Tags: , | No Comments »
« Older Entries
All Rights Reserved. DataExpress 2011