Monday, January 11, 2010

SQL Injection + PII = $60 Million Fine

The Heartland settlement for their massive 2009 compromise will end up costing $60 million. It appears that the number could have been substantially higher since Bob Carr, Hearland's CEO, referred to this amount as "fair".

To recap the original attack, this was an application security based vulnerability that exploited SQL Injection flaws. Further, the attack also leveraged a lack of encryption on the internal network to enable sniffing of clear text sensitive data.

I leave you with this point for consideration; take a look at your application security budget for your critical applications. How does the budget compare with the potential for a $60 million dollar loss? Are you confident in your secure development processes, code review, and application security assessments?

Take a look at OWASP ASVS to evaluate the quality of your application security efforts.

-Michael Coates