Welcome to This Week’s [in]Security. This week: Beyond "locks and bars" secure e-shopping. Vote for PCI 2019 special interest groups. More fallout and huge liability from Marriott's Starwood breach. New breaches at 1-800-FLOWERS, Quora, Fallout76, and BeatStars. Facebook harvested call and text logs without permission. Republican's hacked in mid-terms. Magecart gangs go after admin credentials. Exploiting typo links in Tweets.
Now here's this week’s selection of news, opinions, and research. Quickly skim annotated links organized by topic: compliance and payment security, breaches, regulation, bugs, privacy, hacking/malware, other security & risk, and more. We hope you enjoy and find them useful.
PCI Compliance and Payments
News and announcements relating to Payment Security, Payments, PCI, and Card Brands.
The potential liabilities over the Starwood breach is now nearing Marriott’s annual revenue ($23B/2017). These numbers will change after the dust settles (elimination of duplicate records, actual number of compromised cards, legal negotiations). Here's a partial list of possible liabilities:
Payment Card Brand breach fines aka "Account Recovery" meant to reimburse card issuers aren't publicized. Fines will vary depending on what was compromised. A breach of sensitive authentication data like track, security codes, or PIN will demand a higher penalty than a breach of basic cardholder data. Various media reports over the years have toted numbers as high as $90/card. Assuming a range of $5 to $25 per card the this would put the maximum liability in a range of $2.5B to $12.5B. However, Target seems to have settled with the banks for about $1 per card according to this 2015 article https://www.bloomberg.com/news/articles/2015-12-02/target-settles-with-banks-over-2013-data-breach-for-39-million