Beruflich Dokumente
Kultur Dokumente
On
Apr
11,
2015,
at
11:53
AM,
Benjamin
Dean
<
>
wrote:
Hi
XXXXXX,
You
need
only
go
to
the
respective
companies'
10-Q
reports
to
find
the
data
I
have
cited.
In
those
reports,
each
company
explains
what
is
included
in
their
estimated
data
breach
related
expenses.
Target
has
got
the
most
detailed
breakdown
of
gross,
net
of
insurance,
net
of
tax
figures.
I
don't
know
where
a
$17bn
estimate
could
come
from.
Target's
recent
settlement
of
a
class
action
lawsuit
related
to
the
data
breach
was
$10mn.
That's
significantly
less
than
even
$1bn
and
suggests
that
the
final
legal
bill
will
not
be
a
catastrophic
amount
for
a
company
that
does
$75bn
in
revenue
each
year.
Best,
Ben.
On
Sat,
Apr
11,
2015
at
8:54
PM,
XXXXX
<XXXXXXX>
wrote:
Benjamin,
I
have
already
been
through
the
10Qs
of
target
and
Home
Depot
some
time
ago.
If
I
were
to
guess,
the
computations
in
question
only
considered
the
net
of
the
breach
after
insurance
and
the
cost
of
that
insurance
Year
over
Year.
Yet,
since
legal
and
reputation
risk
are
directly
proportionate
to
the
loss
experienced
by
the
customer
rather
than
Target,
the
actual
risk
to
Target
in
direct
financial
terms
is
proportionate
not
to
the
fines
paid
to
the
Credit
Card
Acquirers
for
replacing
lost
or
stolen
credit
cards,
$61
million,
but
the
fraud
on
those
lost
or
stolen
cards.
Being
aware
of
Targets
10Q
you
know
of
the
80
pending
lawsuits
related
to
the
breach
whos
costs
are
not
yet
accounted
for.
A
group
of
banks
now
has
standing
to
sue
Target
for
liability
for
fraud
against
the
breached
credit
cards
as
it
seems
possible
to
prove
Target
did
not
engage
in
due
care
over
protection
of
the
cards.
Further,
even
banks
which
are
considered
able
to
understand
and
take
considerable
credit
risk
may
have
faced
extra
ordinary
risk
even
for
an
informed
risk
management
team.
Thus,
the
lawsuits
are
proceeding.
Consider
a
simple
model
of
the
pending
financial
risk
of
such
a
lawsuit.
The
easiest
being
that
Target
ranges
in
liability
for
5%
to
100%
liable
for
consequential
credit
card
fraud.
This
is
a
simple
estimate
to
gauge
both
consequential
legal
risk
and
reputation
risk
effects
from
adversely
affected
credit
card
holders.
The
lawyers
fees
of
the
settlement
would
be
trivial,
near
1.2
million
so
these
have
been
neglected.
A)
Lexis
Nexis
reports
that
near
30.1%
of
persons
involved
in
a
data
breach
face
consequential
exploits
in
2014.
(The
California
Attorney
General
has
been
using
Lexis
Nexis
consequential
exploit
statistics
as
a
credible
authority
in
her
annual
reports
for
some
years
now.
This
reports
will
likely
have
considerable
legal
weight.)
B)
The
FBI
IC3
studies
of
reported
fraud
instances,
averages
near
$1745
across
all
50
states
this
varies
somewhat
per
year
but
for
order
of
magnitude
results,
consider
this
a
first
guess.
(The
FBI
Fraud
Statistics
in
its
IC3
reports
are
also
noted
for
having
considerable
legal
weight.)
Thus,
fraud
risk
per
credit
card
breached
can
vary
buy
might
reasonably
average
near
$1745
*
30.1%
=
$525.24
per
breached
card.
It
is
said,
that
all
models
are
wrong
but
some
are
useful.
Consider
what
happens
when
$525.24
per
breached
card
as
an
average
fraud
loss
of
citizens
at
random
across
all
50
states
meets
40
million
breached
credit
cards.
$500
*
40
million
=
20
Billion
USD.
From
the
10Q
of
Target,
one
may
see
a
Cash
Flow
From
Operations
near
5.6
Billion
USD.
Thus,
if
Target
were
held
100%
liable
for
consequential
fraud
on
the
Credit
Cards
breached,
a
hidden
number,
in
the
10Q,
the
outcome
of
its
80
lawsuits
pending
related
to
the
breach
could
cleanly
eclipse
any
costs
reported
by
Target
so
far.
Typically,
when
a
consortium
of
banks
does
successfully
sue
a
firm
for
consequential
fraud
of
credit
cards,
it
is
rare
that
these
hold
the
merchant
100%
liable
unless
compelling
defects
in
PCI
Compliance
factors
are
involved.
Forensic
studies
of
computers
are
used
as
part
of
liability
assignment.
Often
the
Credit
Card
Acquires
often
have
just
cause
for
100%
liability
assignment
but
choose
not
to
press
their
legal
case
to
harm
otherwise
mutually
profitable
uses
of
credit
cards
by
customers.
Thus,
if
Target
were
to
have
done
a
substantially
good
job
protecting
it
Credit
Card
processing
systems,
it
may
face
a
5%
liability
assignment
should
the
case
of
negligence
be
proved
in
court.
Yet,
cases
of
25%
and
100%
liability
assignment
are
occurring
and
often
settling
out
of
court
by
consent
decrees.
Consider
at
5%
liability
ruling
against
Target,
which
I
would
judge
to
be
an
unlikely
low,
but
possible
legal
outcome.
-
20
Billion
*
5%
=
1
Billion
USD
As
an
investor,
reading
10Q
statements
one
realizes
that
is
quite
routine
for
firms
to
hold
off
on
reporting
on
pending
litigation
and
writing
the
loss
off
as
an
extraordinary
one
time
expense
even
if
the
settlement
involved
time
payments,
these
can
be
lumped
using
NPV
computation
techniques
in
a
completely
GAAP
acceptable
manner
of
corporate
accounting.
Thus,
reading
the
10Q
statements
I
could
easily
observe
that
target
may
not
be
telling
its
investors
something
that
its
legal
team
likely
already
knows.
Target
will
likely
face
another
1
to
20
Billion
dollar
cost
for
its
breach
that
is
not
yet
reported
and
likely
will
not
settle
until
2016.
I
hope
this
helps
when
considering
how
a
thoughtful
analysis
of
10Q
statements,
legal
trending
in
final
settlements
of
data
breach
losses
and
true
costing
of
breaches
might
lead
me
to
ask
you
for
further
detail.
How
is
it
possible
to
make
policy
based
on
known
10Q
commissions
of
critical
data
and
unresolved
GAAP
standards
of
reporting
Data
Breach
Risk
Exposures
by
firms?
Now
that
I
have
shown
you
a
really
basic
basis
for
my
extended
analysis
numbers.
Can
you
please
describe
whether
you
used
gross
cash
losses
or
the
net
after
insurance
cash
losses
in
your
analysis?
It
really
is
a
simple
question.
Best
Wishes,
On
Apr
12,
2015,
at
8:55
AM,
Benjamin
Dean
<
>
wrote:
XXXXXXX,
For
Target,
the
figures
I
have
cited
refer
to
the
$248
million
of
cumulative
expenses,
partially
offset
by
expected
insurance
recoveries
of
$90
million,
for
net
cumulative
expenses
of
$158
million.
Once
the
tax
deductions
are
made
to
these
expenses,
the
final
expenses
are
$105mn.
The
table,
derived
from
the
10-Q,
can
be
found
in
the
original
article:
https://theconversation.com/why-companies-have-little-incentive-
to-invest-in-cybersecurity-37570#ftag=YHF87e0214
In
these
10-Q
reports,
Target
specifically
states
that,
"breach-related
expenses
may
include
costs
for
reissuing
cards,
lawsuits,
government
probes
and
enforcement
proceedings,
legal
expenses,
investigative
and
consulting
fees,
and
capital
investments."
While
we
arent
given
a
breakdown
of
each
individual
component,
we
know
that
lawsuits
are
included
in
the
totals.
Has
Target
decided
to
delay
reporting
on
its
pending
lawsuits
related
to
card
fraud?
All
we
can
say
now
is
maybe.
The
only
certain
losses
we
know
of
are
disclosed
in
the
10-Q
reports.
This
is
a
better
basis
on
which
to
make
policy
than
extrapolations,
estimations
with
large
ranges
and
future
scenarios
without
probabilities.
Regarding
your
estimates
-
Id
like
to
make
a
few
comments
because
I
too
have
been
grappling
with
this
same
question.
The
reason
I
find
$20bn
an
unlikely
number
is
that,
according
to
the
2013
Federal
Reserve
Payments
Study,
the
total
card-present
and
card-not-present
fraud
for
2012
-
across
the
entire
USA
and
all
transactions
-
amounted
to
$3.8bn.
How
could
Target
possibly
face
an
impending
$20bn
bill
for
card
fraud
when
this
figure
is
5x
more
than
the
total
amount
of
card
fraud
that
occurs
each
year?
In
terms
of
the
components
of
your
estimate,
the
average
loss
is
not
a
good
measure
to
use
here
given
that
fraud
losses
do
not
follow
a
normal
distribution.
Rather,
theyre
closer
to
a
bifurcated
distribution
where
there
are
a
lot
of
small
amounts
and
some
very
large
amounts.
The
median
would
be
a
better
measure
to
use.
Both
the
IC3
and
FTC
Consumer
Sentinel
data
indicate
that
the
median
amount
typically
lies
between
$300-510.
The
30%
figure
is
also
not
believable
when
one
considers
just
how
hard
it
is
to
commit
card
fraud.
Cormac
Herleys
paper
is
a
great
resource
in
that
it
explains
the
difficulty
in
actually
committing
card
fraud
at
scale
(which
is
what
were
talking
about
with
tens
of
millions
of
cards).
In
short,
the
difficulty
lies
in
the
information
asymmetries
between
fraudster
and
card
holder.
Add
to
this
the
anti-fraud
systems
banks
employ
to
detect
anomalous
spending
patterns
(which
youve
mentioned).
http://research.microsoft.com/apps/pubs/?id=192110
This
pattern
seems
to
have
emerged.
If
you
take
Targets
CFO
and
Visas
Chief
Risk
Officers
word,
the
extent
of
the
fraud
was
quite
low.
For
Target
brand
cards,
the
uptick
in
fraud
was
0.1%
(I
unfortunately
dont
know
the
total
fraud
figures
for
Target
but
this
statement
would
suggest
that
it
is
not
a
large
amount).
For
Visa
cards
involved
in
the
breach,
the
estimate
is
a
fraud
rate
of
2-5%
of
all
cards
related
to
the
breach.
Id
also
question
whether
40
million
is
a
sensible
number
to
use.
Another
key
detail
is
that
only,
"12
million
of
these
customers
lost
both
payment
card
data
and
personal
information
in
the
heist."
This
is
a
key
number
because
it
tells
you
how
many
card
numbers
+
personal
info
were
stolen.
To
commit
fraud
successfully,
one
requires
both
sets
of
information.
The
probability
of
fraud
being
successfully
committed
on
these
cards
is
much
higher
(though
not
100%)
than
the
other
cards.
(see:
http://www.bloomberg.com/bw/articles/2014-03-26/three-new-details-
from-targets-credit-card-breach)
So
where
does
that
leave
us?
In
short,
were
definitely
below
$1bn
in
card
fraud.
Were
sitting
on
a
maximum
fraud
amount
of:
$399
per
card
*
2-5%
of
40
million
cards
=
$319-798
million
Or
a
mid-range
estimate
of:
$399
per
card
*
5%
of
12
million
cards
=
$239
million
Or
a
floor
of:
$399
per
card
*
2%
of
12
million
cards
=
$95
million
Each
one
of
these
numbers
can
be
multiplied
by
the
amount
that
Target
is
held
liable
for
(5-100%)
and
you
are
not
reaching
$1bn.
This
all
looks
consistent
with
Targets
disclosures
to
date.
Id
like
to
repeat
something
here
-
because
I
think
we
both
agree
-
that
for
policy
decisions
to
be
made
we
require
reliable,
verifiable
estimates.
Something
Ive
discovered
in
the
course
of
all
this
work
is
how
opaque
the
whole
cost
accounting
is
for
data
breaches.
I
trust
you
understand
the
difficultly
in
making
definitive
statements
in
what
is
a
very
opaque
environment.
I
prefer
to
use
data
relating
to
actual
losses,
though
there
arent
many
out
there.
Most
prefer
to
use
estimations,
extrapolations
and
-
in
the
worst
instances
-
pure
speculation.
I
hope
my
little
piece
contributes
in
some
way
to
a
larger
conversation
about
the
real
risks
involved
in
data
breaches
and
cyber-
security
more
generally.
Best,
Ben.
On
Mon,
Apr
13,
2015
at
1:59
AM,
XXXXXXXXXX
<XXXXXXXXXX>
wrote:
Benjamin,
Thanks
for
input
to
the
original
question.
Do
you
have
a
sighted
reference
on
maximum
CC
fraud.
I
have
never
found
a
reliable
one
and
often
the
pull
for
data
amounts
to
a
smoke
and
mirrors
estimate.
Lexus
Nexis
statistics
are
pulled
from
actual
fraud
data.
Most
measured
T-tests
do
not
support
substantial
differences
between
private
reports
of
fraud
vs
fraud
reported
to
the
authorities,
so
good
public
sources
will
do.
If
you
find
such
numbers
unreasonable,
can
you
site
a
more
reasonable,
pure
data
based
source?
Most
public
authorities
point
back
to
Lexis
Nexis
for
their
assessments.
So,
I
am
afraid
the
30.1%
number
is
from
a
sample
size
large
enough
to
justify
a
95%
confidence
interval
on
those
3
digits.
The
number
gets
re-measured
each
year
and
so
may
move
on
a
Year
over
Year
basis.
There
is
enough
data
for
a
small
sample
year
over
year
trend
line,
but
it
does
not
yet
meet
my
standards,
though
in
the
next
few
years
it
likely
will.
There
is
plenty
of
work
for
all
concerned
in
the
supply
and
demand
area
of
vulnerability
vs
attacker
behavior.
In
this
area,
Medical
Payment
and
Medical
Identity
impersonation
is
actually
less
regulated
and
is
presently
commanding
higher
fence
prices
for
stolen
data.
Still,
I
am
quite
sure
that
the
most
recent
lawsuit
pending
for
Target
already
has
passed
a
review
for
legal
standing.
This
means
there
is
credible
reason
to
assert
negligence
and
there
is
actual
harm
beyond
the
numbers
already
stated
by
Target.
Best
Wishes,
XXXXX,
The
reference
I
cited
is
the
2013
Federal
Reserve
Payments
Study.
The
full
report
is
available
here:
https://www.frbservices.org/files/communications/pdf/general/2013_fed_res_pay
mt_study_detailed_rpt.pdf
The
methodology
section
is
extensive
and
explains
all
you
need
to
know
about
how
the
estimates
are
generated.
From
p89-90:
The
2013
DFIPS
estimates
were
based
on
data
reported
by
a
stratified
random
sample
of
depository
institutions...
The
respondents
selected
were
sampled
from
the
population
of
insured
depository
institutions
in
theUnitedStates,including
creditcardbanks.61
The
population
included
commercial
banks,
state-chartered
and
federally
chartered
savings
institutions,
and
credit
unions.
Domestic
branches
of
foreign-owned
banks
were
not
sampled.
Ben.