RE: [ISN] One year later: Five takeaways from the TJX breach

From: InfoSec News (alerts@private)
Date: Mon Jan 21 2008 - 22:09:18 PST


Forwarded from: "Marco M. Morana" <marco.m.morana (at) gmail.com>
To: Adam Shostack <adam (at) homeport.org>

Adam

I published my point of view on the lessons that learnt on TJ Maxx 
incident from the security perspective on my blog. 
http://securesoftware.blogspot.com/search/label/Compliance

The fact that according to recent studies the correlation between bad 
security news and drop in stock price cannot be correlated is also 
proved in market research herein: 
http://www.allbusiness.com/technology/computer-networking-network-security/967200-1.html

If you evaluate the loss in the risk analysis as intangible factor (loss 
of reputation) the impact should be more on the brand rather then on the 
stock price. In the case of TJ Maxx the brand means Marshalls, and A.J. 
Wright, Bob's and HomeGoods chain in USA, Winners chain and HomeSense 
chain in Canada. Correlating bad news on security to TJ Maxx branding 
should involve these brands since this is what the customer perceives.

 From the stand point of the stock price information, the fact that the 
news are cross-correlated means for example that the recent data loss 
(650,000 Credit Card Numbers) suffered by JC Penney has linked history 
on TJ Maxx loss so this impact on reputation will continue.

I think in this case there are not really tangible losses except for the 
financial fraud component (estimated 1 ML dollar) and the liability loss 
is also quantifiable in 257 millions. It would have different if TJ Maxx 
had suffered a denial of service to the on-line web site of 
http://www.marshallsonline.com/ to the loss of sales transactions per 
day could be quantified and directly correlated to a vulnerability. (see 
what SQL slammer worm did in February 2003, the estimates back then were 
for 1 BL $ loss)

Regards

Marco


-----Original Message-----
From: isn-bounces (at) infosecnews.org 
[mailto:isn-bounces (at) infosecnews.org] 
On Behalf Of InfoSec News
Sent: Monday, January 21, 2008 1:21 AM
To: isn (at) infosecnews.org
Subject: Re: [ISN] One year later: Five takeaways from the TJX breach

Forwarded from: Adam Shostack <adam (at) homeport.org>

It's too bad Vijayan didn't bother to do enough research to find 
Acquisiti, Freedman and Telang's work on the subject.

Breach disclosures almost never affect stock prices for more 
than a few days.

Adam

On Fri, Jan 18, 2008 at 01:04:14AM -0600, InfoSec News wrote:
|
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9057758
|
| By Jaikumar Vijayan
| January 17, 2008
| Computerworld
...
| Here, on the one-year anniversary of the breach becoming known, are 
| five takeways for security managers:

| Breach disclosures don't always affect revenue or stock prices ...
|
| Despite being the biggest, costliest and perhaps most written-about 
| breach ever, customer and investor confidence in TJX has remained


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Mon Jan 21 2008 - 22:22:09 PST