Today the Boston Globe reported an arrest related to the TJX record-setting breach (in terms of numbers of affected consumers) in thier article, "Suspect named in TJX credit card probe Ukrainian's arrest seen as break in record fraud case".
I continue to be intrigued by the details of this case. Maksym Yastremskiy stands accused of playing a "key role in the sale of many credit card numbers stolen from TJX Cos" and likely the "largest seller of stolen TJX numbers".
According to the article, Mr. Yastremskiy sold cards in batches of up to 10,000 for $20-100 per card through various online forums. Let's do some math.
10,000 cards @ $20-100/card = $200,000-1,000,000!
Let's say for a second that 45 million cards (allegedly lost in the original breach) were able to be sold for the same price.
45,700,000 cards @ $20-100/card = $914,000,000-4,570,000,000!
Up to 4.5 billion dollars! Now this is all VERY hypothetical, but it should be VERY clear why organized crime is so interested and active in information security (or insecurity). The amount of money made is incredible.
The article goes on to state that TJX reported that initial estimates of how much the breach will cost the company were grossly understated. TJX estimates that it will spend $256,000,000 to cover the costs of the breach, improved security controls, and lawsuits.
I don't know, but this still seems understated to me.
There is evidence of cards and/or information related to the TJX breach being used all over the world from retail WalMart stores to cash advances.
What a mess. What did Mom say? Something like an ounce of prevention is worth a pound of cure, or was it an ounce of security is worth $20-100/card? I can't remember!
Some good TJX breach-related links:
- The original TJX press release announcing the breach dated 1/17/07
- The TJX "IMPORTANT CUSTOMER ALERT" dated 2/21/07
- The original Information Week online article dated 1/17/07
- "TJX profit down sharply on breach costs" reported by CNNMoney on 8/14/07
- The recent Boston Globe story reporting Yastremskiy arrest dated 8/21/07
- Massachusetts Bankers Association class-action lawsuit announcement dated 4/24/07
- FTC Notice of Proposed Routine Use; Request for Public Comment, Privacy Act of 1974; System of Records: FTC File No. P072104
And here is the rest of it.
No comments:
Post a Comment