I often point out that our security model thinking is typically informed
by "stopping all breaches" rather than "doing less damage." Here's some
indication of damage.
http://bits.blogs.nytimes.com/2014/12/04/banks-lawsuits-against-target-for-losses-related-to-hacking-can-continue/?smid=tw-nytimestech&seid=auto&_r=0
...
The ruling is one of the first court decisions to clarify the legal
confusion between retailers and banks in data breaches. In the past,
banks were often left with the financial burden of a hacking and were
responsible for replacing stolen cards. The cost of replacing stolen
cards from Target’s breach alone is roughly $400 million — and the
Secret Service has estimated that some 1,000 American merchants may have
suffered from similar attacks.
The Target ruling makes clear that banks have a right to go after
merchants if they can provide evidence that the merchant may have been
negligent in securing its systems.
...
At the time of its breach last year, Target had installed a $1.6 million
advanced breach detection technology from the company FireEye.
But according to several people briefed on its internal investigation
who spoke on the condition of anonymity, the technology sounded alarms
that Target did not heed until hackers had already made off with credit
and debit card information for 40 million customers and personal
information for 110 million customers.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
