A recent data breach study commissioned by the state of Maine sheds light on the losses banks experienced as a result of the data breaches at TJX and Hannaford Brother's supermarkets.
The state's banks said they incurred $2.1 million in expenses related to data breaches since January 1, 2007. The Hannaford breach had the largest impact, affecting 71 financial institutions and incurring $1.6 million in expenses according to the Maine Data Breach Study. Hannaford is based in Scarborough, Maine. The TJX breach accounted for $485,000 in expenses.
The report was issued by the Maine Bureau of Financial Institutions in November 2008. It studied the impact of data security breaches on Maine banks and credit unions. Fifty credit unions and 25 banks headquartered in Maine responded to the survey.
Financial institutions reported more than 18 million records breached last year, according to the Identity Theft Research Center. The San Diego-based nonprofit found that data breach reports across five industry sectors jumped to 656 last year, up 47% from 2007. About 12% of the reports came from financial-services firms, up from 7% in 2007.
In Maine, the Hannaford breach resulted in more than $318,000 in gross fraud losses, according to data reported by 22 financial institutions. More than 700 accounts were used to buy items fraudulently, although five of the 22 institutions that suffered a fraud loss did not report the number of accounts, according to the report. The Hannaford breach cost some banks as much as $58,000 to reissue credit cards to customers. Investigation expenses cost nearly $30,000 for some banks. Communication to customers cost nearly $28,000, some banks and credit unions reported.
Fraud losses of nearly $45,000 were tied to the TJX data breach. The losses were reported by six financial institutions. The expenses for reissuing credit cards cost some banks as much as $32,000. Investigation expenses were as high as $21,000 for some banks. Communication to customers cost nearly $24,000.
Joseph Murphy, president of the Maine Bankers Association, declined to comment about the report. John Barr, deputy superintendent of Main's Bureau of Financial Institutions did not return phone calls seeking comment.
Adam Shostack, blogger and author of The New School of Information Security, said the expenses turn out to be about $450 for each abused account, which is inline with the estimated figures for sales of pilfered account data on the black market.
"There's lots of credit card numbers breached, lots of re-issuance, and that's not cheap, but it's not horrifically expensive," Shostack said.
Shostack said the rising costs associated with data breach could lead banks and merchants to find alternative payment methods. An alternative method could cut costs by reducing fraud, he said.
"What this means for business is that the process of data collection and analysis is starting to produce something better than 'accepted practice,'" Shostack said. "I can drive business with real security metrics and real, empirical science."
The Ponemon Institute, which puts out an annual data breach cost report, found that the total average cost of a data breach grew to $197 per compromised record. The costs add up to more than $6.3 million per breach and ranged from $225,000 to almost $35 million. The study factors in the cost of lost business and the investment a merchant makes in security technologies following a breach. The organization plans updated figures later this month.
The Maine data breach report further illustrates the far reaching effects of data breaches and identity crime, said Larry Ponemon, founder and chairman, Ponemon Institute. Ponemon cautioned that the costs listed in the report are only those associated with financial institutions and don't reflect the total costs incurred by Hannaford's, victims, and other organizations.
"The financial impact goes so much deeper than simply costing victims, but also ripples throughout the network of organizations involved," Ponemon said. "I'm always glad to see when other organizations produce evidence to corroborate what we've been saying for years: 'failure to maintain proper data security is a high risk gamble that companies simply can't afford.'"
Editor's note: Adam Shostack said breach expenses turn out to be about $450 for each abused account. His comment was paraphrased incorrectly in a previous version of this story.