Why 'data breach' isn't a dirty word anymore

Contrary to popular belief, data breaches don't necessarily sink a company, studies and survivors indicate.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
9 min read

Three years ago one of the largest payment processors in the country reported that hackers had accessed its computer system, exposing millions of credit card numbers in what is believed to be the largest hacking-related security breach ever.

Heartland Payment Systems' CEO said at the time that the breach had occurred in 2008, but had only been discovered in January 2009. According to the DataLossDB site, the Heartland breach involved 130 million credit and debit card numbers. The company was sued by shareholders, but the suit was dismissed. Meanwhile, after pleading guilty to that hack as well as a slew of others, former government informant Albert Gonzalez is serving a 20-years prison sentence.

Heartland has not only survived since the breach, it has thrived. It's stock price dropped from about $17 a share to under $5 after the breach, but has climbed to just under $30. Revenue has increased during that time by about 30 percent and profit margins are at pre-breach levels, although the company paid an estimated $68 million in costs to settle consumer and credit card claims.

"I've been impressed with Heartland because on paper you could have said if anybody was going to get killed it would have been them" because of the breach, Gunnar Peterson, a security architecture consultant at Arctec Group, said in a recent interview with CNET after he wrote about Heartland as a success story on his blog. "They got seriously hosed on their core line of business. It happened right in the heart of the financial crisis and recession, so people were running for the exits on any possible issue. And they fought back and saved their business."

Heartland dealt with a direct negative impact on its financials and its brand, but worked hard to maintain good relations with its customers, said John South, chief security officer, who joined Heartland about nine months after the breach was disclosed. "We had overwhelming support from our merchants," he said. "So the loss of a customer base for us was relatively small...Not many other companies could have come back from something like this."

The firm has taken an active role in the Payment Processors Information Sharing Council that was established after the breach and has shared information about the attack with others in the industry and law enforcement so that future breach targets will fare better, according to South. "From the start, the CEO's position was 'we've been breached, we need to be honest about what happened and why it happened and do what we can to prevent this from happening to other people.'"

The Heartland breach was a huge deal back then, but so many other breaches have occurred since that the public may be a bit inured to them by now. With stolen credit card numbers, in particular, consumers are likely to be less concerned than when their their personal information like address and phone number are exposed because merchants end up eating the cost of fraud and not consumers.

"Maybe the average person in the U.S., after receiving at least one breach notification or more, maybe they are becoming numb to the whole experience," said Larry Ponemon, founder of the Ponemon Institute. Ponemon released a study this week with Symantec that found that for the first time data breach costs have decreased and fewer customers are abandoning companies after a breach. "Basically, we see a lot of people recognize that a data breach is bad, but it may not be directly harmful to them," Ponemon told CNET.

Customers are forgiving
Another report released last week came to similar conclusions. Executives worry about lawsuits, brand damage, stock drops and customer loss after a data breach but those fears are usually unfounded, according to the latest Verizon data breach report. "While a few 2011 breach victims estimated their losses to be in the hundreds of millions of dollars, most did not get near to that amount. In fact, the large majority of them emerged relatively unscathed from their troubles. While they were inconvenienced and probably had a sleepless night or two, they returned to normal business operations before too long," the report said. "Breaches don't appear to typically have a major long-term impact on stock value."

Why is that? Consumers are forgiving, said Wade Baker, director of risk intelligence at Verizon. "Consumers will still shop at their favorite retailer and they won't change their bank, but business-to-business firms will choose a more secure partner."

Brian Martin, president of the Open Security Foundation, which runs the DataLossDB site, agreed, saying "invariably the consumers will stick with the company." Part of this due to the fact that many people don't trust that other firms will necessarily do a better job at securing their data. And a larger part of it is because it is a hassle to switch to a new company.

"How many people after the Sony hack canceled their PlayStation Accounts?" said Martin. "A few token ones did, but in the grand scheme it wasn't large numbers. It's a moral outrage, but in the end, consumer apathy and laziness wins out."

When personal data of more than 70 million Sony PlayStation and Qriocity users was compromised last year users filed lawsuits and experts said it was a public relations disaster for the multinational company. Part of the problem was that Sony didn't tell customers about the breach for over a week, despite the fact that credit card information was possibly stolen. Also, Sony was vague about the details and the risk to customers, and took more than three weeks to get the service back up as it dealt with additional breaches, including one affecting 24 million accounts at Sony Online Entertainment.

Sony's stock has dropped from above $30 a share to $20 and it forecast last May that 2011 operating income in its video game division would significantly decrease as a result of breach-related costs and activities, including rebuilding its security infrastructure and offering identity-theft protection service to affected customers. However, the forecast for its financials overall, including all the other business units, was positive. This diversity of operations helps cushion the breach impact on Sony, whereas Heartland had only one line of business.

"Sony was the poster child this year of retail breaches," said Jon Gossels, chief executive of security consultancy System Experts. "I've got to believe that type of massive breach is going to shake some confidence and no amount of disclosure or communications can completely clear that. They'll have to rebuild that confidence and let people know what changes they've made operationally and technically to prevent that type of breach from occurring again."

Among the many other firms that have weathered breaches are data broker ChoicePoint and payment processor PayChoice, as well as TJX, marketing outsourcer Epsilon, global intelligence firm Stratfor and VeriSign, which buried the news in a filing with the U.S. Securities and Exchange Commission and didn't make a public announcement. Not only is customer data at risk in breaches, but some firms lose valuable source code and other intellectual property, such as Google, RSA and Symantec. Symantec's case was interesting because the company first blamed a third-party for a breach that hackers publicized earlier this year, but then later acknowledged that its network had been compromised in 2006.

Communication is key
Of all those companies mentioned, Google gets the most praise for its handling of the 2010 disclosure of the attack on its network. Unprompted, the company was quick to notify the public and, for the most part, provided details about how the attack happened and what the threat risk was to its users. "They communicated their thought process and actions pretty clearly," said Peterson. "I would expect other companies to try to emulate that whenever possible."

In contrast, security experts complained that RSA's communications were vague and failed to provide enough detail for customers to effectively assess their risk when the firm announced its breach a year ago. "Many RSA customers were unhappy with how they handled it," said Gossels. "They were left for long periods of time not knowing how serious it was, what the implications were for them and whether RSA was going to replace the SecurID tokens" that customers use to secure their networks.

Asked what lessons RSA learned from the incident, Brian Fitzgerald, RSA vice president of marketing, said: "You can't communicate enough. We were very aggressive, but still there were people who would have loved to see us do more. Information sharing is hugely important. Everybody wanted to know about the attack on us and customers wanted to know how to defend themselves."

Fitzgerald said the company didn't lose any big customers as a result of the breach and only had to replace tokens for a "small percentage of the customer base," despite the fact that the stolen data was used on an attack on at least one company that has been publicly identified: Lockheed-Martin. Meanwhile, RSA took a $66 million charge due to token replacement and other breach-related costs.

"We disclosed the situation very quickly, within hours of understanding that there could be customer risk," Fitzgerald said, adding that the company took great pains to communicate with customers and met with many of them personally. "These things take time for the factual information to come out. We are a year out and we're still having a conversation about it."

Information sharing to customers and even competitors is key to helping the industry improve its security track record, experts say. "The attackers work together and the victims are isolated and I think that's still basically the case," Peterson said. "It's unfortunate because you see the same lessons being learned again and again."

"The reason we're struggling as an industry is that we cover up the failures," said Adam Shostack, blogger and co-author of 'The New School of Information Security." "An awful lot of companies are getting breached but what do we know about those breaches?"

One company that ultimately failed to survive its data breach is Dutch certificate authority DigiNotar. The firm closed its doors and filed for bankruptcy after an intruder was able to compromise its network and generate fake Secure Sockets Layer (SSL) certificates used by online sites to prove their authenticity. Hundreds of the fraudulent certificates were used to try to trick Google.com users in Iran and visitors to many other sites, including Microsoft, Skype, Twitter, Facebook, the CIA and M16. DigiNotar was criticized for lax security and failing to notify the public about the breach for several weeks. The compromise forced browser makers to blacklist the DigiNotar certificates and Microsoft and Adobe to issue security patches.

And then there is HBGary Federal, another victim of hackers. After learning that CEO Aaron Barr was working to identify members of online activist group Anonymous, hackers broke into the firm's computer network, stole sensitive and personal information and potentially incriminating business data and then posted it to the Web. A representative for HBGary Federal could not be reached for comment.

The attack spread to HBGary, a separate but related security firm, when hackers used Barr's log-in credentials to get into a Google e-mail server shared with HBGary. While it appears that HBGary Federal is now defunct (the domain is for sale), HBGary was recently bought by government contractor ManTech.

Greg Hoglund, CEO and co-founder of HBGary, said his company was diligent about communicating with customers after the attack last year. As a result, the firm didn't lose customers, he said.

"If you have e-mails stolen or a database compromised my advice is don't over react. It's not the end of the world," Hoglund said. "It may take a year, but if you stay focused on your customer and use incident response best practices it won't destroy your company. Our company is living proof of that. We finished our year (with revenue) above the projected numbers. And now I've successfully had my company acquired."

But no company that suffers a breach should feel safe from either hackers or disgruntled customers, warns Martin of the Open Security Foundation. "Companies can't take it for granted that they are just going to bounce back over time," he said. "They may have to struggle and work harder to recoup earnings and restore brand image and customer trust."