in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

An Overstatement: Heartland Payment Systems And The 100 Million Figure

I wasn't going to bring up the Heartland Payment Systems issue, since it's been pretty widely covered.  Readers of this blog know that I and others have pointed out that data encryption solutions like AlertBoot are not a panacea when it comes to data security, and that the appropriate tools must be in place for different attack vectors.  The Heartland Payment Systems is a case in point: since malware was involved, monitoring of their networks would have been key, it seems like.  Chances are encryption wouldn't have done much to help avoid the situation.

However, I do bring up the story because it seems people are missing a key element.

"Move over TJ Maxx, payment processor Heartland Payment Systems has potentially leaked up to 100 million credit and debit accounts into the black market." [Ars Technica]

While I'm not singling out Ars (love their site for their insight), it pretty much embodies what everyone else is saying about the situation.  I've got issues with this, for two reasons.

First, the 100 million figure comes from the fact that Heartland processes 100 million transactions per month on average.  And while Ars had the sense to claim "up to 100 million…accounts," let's face it, there's no way the number of accounts affected will even remotely approach that figure.

Why?  Because a person doesn't use a credit card once per month, that's why.

Remember, we're talking about 100 million transactions.  I use a credit card once a day, every day--at least.  I account for 30 transactions per month, not necessarily with Heartland.  Even with the average American holding four credit cards, there's no way that 100 million transactions will convert to 100 million accounts.  That figure is way out of proportion. (On the other hand, one ought to consider that December means lots of shopping, so that 100 million transactions figure might be depressed.)

Assuming a credit card is used only twice a month, that figure is cut in half: you may have 100 million transactions, but the number of cards affected is 50 million.  Remember, this is with cards being used twice a month only, an unreasonable assumption.  Chances are the usage per card would be much higher, and hence the number of accounts affected lower. 

There are other factors that could affect the figures as well, giving both downward as well as upward pressure.  Chief among them, the fact that Heartland is not the only processor out there: how many times does a person encounter a Heartland processor?  Once a month would imply 100 million accounts breached; twice a month, 50 million accounts; three times, 33 million accounts; etc....and since most people tend to shop where they've shopped before…you see where this is going.

Second reason I have an issue with the above statement: the TJX breach eventually involved 94 million cards, up from the initially reported 45 million.  100 million compared to 94 million is not so jaw-dropping.  And, in Heartland's case, the breach is capped at 100 million or so, with the potential to drop significantly.

TJX's place in the annals of data breach history is pretty secure for the time being, I'd say.

 
<Previous Next>

Penalties For Mass. Personal Information Law Violation - 201 CMR 17.00

USB Data Encryption: A Timely Example of An Information Security Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.