The question, however, is:
Would it have been cheaper to do IT right...?
Retail giant Target has agreed to shell out $39.4m to banks and credit unions who had pursued the company following losses suffered after an enormous data breach. Target has now resolved the class-action claims following lenders seeking to hold the company to account for reimbursing defrauded customers. $20.25m will be paid to …
So approx $40M paid out - 40M credit card details lost, so a dollar per set of details. Cheap really.
I did notice the huge amount spent on lawyers - $21m that went mostly on "legal and other professional services"
So, the legal teams did well out of the breach, keeping the payout costs down but trousering an eye watering amount.
Maybe, instead of ambulance chasing, bottom dwelling lawyers follow the hackers these days
While a win for the legal beagles, it is a hit on the balance sheet. Fiduciary trust and other legal responsibilities could leave individuals open also to lawsuits. The cautionary tale is do IT right or risk being raked over the coals like Target. I doubt ~300 M would be anywhere near the cost of doing IT right for a good 10 to 20 years.
Interesting question that one.
Target's new CIO appointed this year was previously CIO at Tesco in the UK, Steve McNamara.
Troy Hunt documented the security failings at Tesco in 2012 which weren't resolved before McNamara left. Presumably McNamara is actually fixing Target's IT and bonuses won't be subject to clawback in the event of future failures...
http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html
They deserve all the ill-will this hack generates and then-some. They still try and play the "we'll give you a 5% discount for joining our next data breach" game at the checkout. Should have done the security up front, instead of out the ass-end. Poor show all 'round.
Dear Target,
Why don't you just give every fucking customer a 5% discount, and stop trying to make us a part of your next data breach? No. Well I have many other shopping options.
-An actual customer
I found it interesting in a conversation with an "associate". They get points for signing up customers to their card which equals cash. And most of the cash register types weren't working there when the breach happened. When they ask, and you respond with something like: "After that last breach, do you think I'm nuts?". You get a blank look and most will ask "what breach".
But yeah... when I need to shop at Target, or Michaels or Home Depot, it's cash only, or a check (occasionally). Or my bank issued credit card and not theirs. I won't have a card issued by a store. Too damn risky.