The True Cost of a Hack

Albert Gonzalez, the hacker who stole over 170 million credit card records from top retailers and credit card processors was sentenced to 20 years in prison a few months ago. Preparing for a presentation recently, I was reminded of just how huge the impact this hacker, working with what appears to have been a small group of accomplices, had on the US economy. As part of the court proceedings the US Department of Justice applied multiple calculations with legal precedent for estimating the losses the hacker’s exploits caused. These estimates range from $400-$780 million USD. Heartland, one of the worst affected targets, claims losses of over $130 million USD already due to legal fees, settlements, and fines.

These calculations got me thinking? How should we measure the cost of a breach like this? Most mechanisms focus on the amount of money the hacker gets out of the stolen accounts, could feasibly get out of the accounts, or in other ways try to measure direct monetary loss to the victim or gain to the hacker. But what about the tens of thousands of identities that could be stolen because of information gathered in the attacks? These soft costs seem to be the true risk of insecure software and they are much, much greater than any financial loss. Until we place some legally-relevant value on them we won't truly be able to measure the impact and justify investments to counter risk.