by Ron Daly
When I was a hard working CFO at a large CU a few years back, the card operations department reported to me.
I've been down the road of having to block and reissue a compromised merchant database a time or two. There's never a "best case scenario" of a compromised database. The best case scenario is it doesn't happen. But I've had small breaks (80 member accounts affected) and fairly big breaks (400 member accounts affected). There's the estimated ~$15 you spend reissuing cards and closing accounts. And then there's the ~$10 you spend on credit monitoring on the accounts. That's ~$25 per account, so at worst it's about $10,000 that I've had to account for after a breach. And that's why, recently, there's a thought that's been troubling me.
100 million! One. Hundred. Million. I'm hoping the math makes sense for you here, because 100 million times $25 equals $2.5 BILLION. In losses and monitoring and trouble and waste.
Is that not staggering? And get this: the attack that caused all of this was only discovered a month or so ago. It could have happened, according to the first article above, as long as six months ago. Half a year, someone was there with their hands in the cookie jar and it was just recently uncovered.
article (click here
) explains that security breaches cost financial institutions $6.6 million on average last year. They also mentioned that Heartland has looked into "accelerating its effort to deploy end-to-end encryption to protect its transaction data". Seems to me that kind of protection should have been put in place when they knew there'd be 100 million accounts at stake. An ounce of prevention versus a pound of cure.
Maybe it just bothers me because I'm an old numbers guy. I see a number like 100 million, like $6.6 million, like $2.5 billion, and I think "make this system untouchable by any means necessary". Hopefully, this latest breach is not the type I'm referring to and it's just a wake-up call!
Thoughts? Opinions? Objections? I'm open to other ways of thinking. Comment away.