Breach Impacts

Filed by Alex | 6 comments


  • TJX costs somewhere south of $300 million (not $4.5 billion, apparently) and Verus going out of business due to breaches means it might be a good time to review our priors and risk.

    1. Large public B2C companies don’t seem to be as “worst case” as we thought (or as some would like).
    2. B2B plays, esp. small niche players, are almost certain to be significantly impacted.

    It is always good to do worst case and probable loss magnitude analysis when performing FAIR analysis.  Do arm your data owners with both sets of information.

    Posted on August 16

    • 6 comments

    1. LonerVamp Aug 16

      Versus going out of business partly (if not wholly) due to admins turning off a firewall during certain (I assume things like batch transfers) data transfers?

      I wonder how many companies accept a risk like that daily or monthly?

    2. Alex Aug 16

      Quite a few, I’m willing to bet. What I don’t get is why would you need to turn off the firewall?

    3. LonerVamp Aug 16

      My guess is someone couldn’t figure out a better way and this worked…in the face of a deadline…at the last minute. And then an emergency measure turned into the accepted solution? I surmise a lot there, but I think they are safe assumptions, based on experience. Even good admins get caught in the corner between deadlines, clients, and mgmt such that poor decisions end up being made for them. (Course, a ‘good’ admin likely should be able ot work the firewall well enough to allow this without turning it off…)

      Or it could be just incompetence…

      In the end, this is yet another sort of incident that I doubt we’ll hear any real details about, even though we desparaetly do need to share and learn from it. :\

    4. JanH Oct 10

      What is the difference/connection between risk assessments and privacy impact assesments. Wouldn’t PIAs as described here be a natural part of a risk management program?
      http://www.privcom.gc.ca/fs-fi/02_05_d_33_e.asp

    5. Alex Oct 10

      Hi Jan H,

      I’m not keenly familiar with Canadian law, so I can’t speak authoritatively on the subj. and how it is commonly interpreted.

      But reading what I can, the spirit of the law seems to include risk analysis around those processes and assets that move/store PII data.

      So a risk analysis could be conducted for any number of reasons (business continuity, control solution selection, policy exception, project management, etc.) while a PIA seems to be designed solely to prove diligence regarding the handling of PII…

      US F.I.’s find themselves being asked to use “risk” in the same manner. Unfortunately, that’s where most of them stop…

    1. Application Security Blog » Blog Archive » Second Breach Closure: Verus?

    Leave a reply