I posted this also to the securitymetrics.org mailing list. Sorry if discussing in multiple venues ticks you off.
The Not Obvious blog has an interesting write up on the Heartland Breach and impact. From the blog post:
“Heartland has had to pay other fines to Visa and MasterCard, but the total of $12.6 million they have set aside to handle the one-time costs is a drop in the bucket compared $1.5 billion in 2008 revenue and does not really even skim much off the top of the $161 million in profits from that same year (the numbers for 2009 look to be tracking the same). It is almost a guarantee that any member of the class action who submits a claim will see many years of scrutiny before receiving any payment, something which Heartland can factor into their yearly financial plans (and accommodate for by increasing fees).”
- One wonders how much a “sufficient” (loaded term, of course) InfoSec program for a company like Heartland costs on an annual basis.
- Does this set a sort of “worst case” bounds to impact distributions?
- If so, how does a worst case impact of ~$13million (US) impact security management at retailers (politically)?