Data Breach Breaking Point Prediction

The Catalyst

I was enjoying Episode 82 of the Defensive Security podcast with Mr Jerry Bell (@MaliciousLink) and Mr Andrew Kalat (@Lerg).  About 18 minutes into the podcast they comment on how few people care about data breaches and wonder what will have to happen before non-infosec people react to data breaches (particularly credit/debit card breaches).

Chip and Pin
Chip and Pin are for card fraud, not every type of card breach royalty-free license purchased via Fotolia


The Prediction

Consumers, and therefore businesses, will begin to care about card breaches when the direct risk or impact to the consumer is more significant.  Right now they’re insulated from this; it’s an abstracted concept for most people until they get a new card in the mail and then all they realize in cost is throwing away the old card.

Attitudes will change when the probability of a person’s bank account demonstrating a tangible loss from any breach event increases.


How Consultant Predictions Look Royalt-free license from Fotolia
How Consultant Predictions Look
royalty-free license purchased via Fotolia



The Reason

It’s my understanding that people who exploit vulnerabilities to steal cardholder data don’t often leverage the data themselves; they specialize in capturing the data and then selling it.

The marketing of the stolen data provides banks with a window into what data has been compromised so that they can react quickly to invalidate/revoke the stolen account data.  The card issuers then simply issue another card that is valid.

Banks use other methods to determine if some of their customers’ data has been compromised but this example is enough to illustrate how banks’ focus on detection of and response to compromise gives their customers a reasonable peace of mind.

In a future paradigm where the actors that lifted the data don’t have to market the stolen data in places/ways that banks can monitor or where they simply use the data themselves this built in notification window for banks disappears.  When the first notification a bank has that something is wrong is when people start disputing charges I think the inconvenience will shift more heavily onto the consumer and you’ll see a change in attitudes.

In other words, I believe that changes that make card data theft more effective will lead to bigger changes in consumer appetite for these types of breaches.  When it hurts, they will change it.