Shostack + Friends Blog Archive


$450 per account? No.

So there’s a claim going around, which is that I believe that a breach costs $450 per account. That claim is not accurate. What was said (and the interview was in email, so I can quote exactly):

(Interviewer) The Hannaford breach resulted in more than $318,000 in gross fraud
losses, according to data reported by 22 financial institutions. More
than 700 accounts were used fraudulently. That’s out of millions that
were breached. Do you find that $318K figure high or about right.

(me) That’s about $450 per account, which is inline with the reports of how
the crooks were monetizing their data.

This was reported as:

Adam Shostack, blogger and author of The New School of Information Security, said the expenses turn out to be about $450 for each breached account, which is inline with the estimated figures on for sales of pilfered account data on the black market.

I’m not naming the interviewer, because I don’t want to imply that the fault is his. I answered the question, he quoted me.

What I meant, which I think is clear from context is: “That’s about $450 per abused account, which is inline with the reports of how the crooks were monetizing their data.”

Emergent Chaos regrets … any confusion which may have resulted, and I’d like to thank Patrick Florer for drawing my attention to this.

[Update: Robert Westervelt has updated the original story. Thanks, Robert! I hadn’t contacted him because I felt the reporting was not inaccurate.]

2 comments on "$450 per account? No."

  • Iang says:

    Breach data has always struck me as great fertiliser for growing FUD. On the other hand, $450 is a useful number 🙂
    Reading the entire article makes me think it was a silly mistake. The article is all over the map.

  • beri says:

    Well, at least they spelled your name right!

Comments are closed.