In December 2013, a well-known IT security blogger, Brian Krebs, was trawling some internet forums when he saw cyber criminals boasting about their latest ‘acquisition’ of credit card details. Two independent sources later, Krebs had confirmed that Target had been hacked and stolen customer cards were being traded on the cyber black market.
Fast forward to last week, and we now know Target has notified US regulators that over 110 million customer records have been exposed, a third party contractor is being investigated as the source of the security flaw, and Target executives have publically admitted they knew nothing of the massive breach until notified by US law enforcement (who saw Krebs’ blog).
While ‘mega breaches’ make for good headlines, they believe the reality that business and organisations of all shapes and sizes are just as vulnerable to these types of exposures as Target. First party costs (including recovery and restoration, investigation and response, business interruption and expenses for technical expertise) can run into the tens of thousands very quickly, for even the smallest business. And if the US experience is anything to go by, third party claims and class actions also loom on the horizon for vulnerable entities.
For Commonwealth agencies, organisations that deal with health records and businesses with an annual turnover of $3million or more, things are about to get a lot more serious. On 12 March 2014, the tough new Privacy Act amendments commence implementing (amongst other things):
Cyber insurance products are now appearing in our market to help form part of an important modern risk solution. But not all are created equal.
[by Megan O’Rourke from Elevista]