This is the first of a multi-part series on the actual costs of data breaches and possible solutions that can be leveraged to protect your organization's data and bottom line.
As the risk of cyber threats and data breaches increase every year, so do the penalties and fines being levied against those institutions that are entrusted with securing consumers' personal, medical and financial information. On July 14, 2022 the Consumer Financial Protection Bureau (CFPB) fined the Bank of America $100 million dollars for mishandling the disbursement of state unemployment benefits on prepaid debit cards when they automatically froze people's accounts using a faulty fraud detection program without providing legitimate account holders recourse when in fact there was no fraud. Separately, the Office of the Comptroller of the Currency (OCC) is also fining the Bank of America $125 million dollars for the same cause.
Specifically, the Bank of America contracted with the State of California to distribute unemployment benefits on prepaid debit cards in the fall of 2020 continuing through mid 2021. During this time they implemented an AI fraud filter with a simple set of flags that would automatically trigger account freezes. This resulted in thousands of legitimate cardholders being denied the funds they needed during the midst of the COVID-19 Virus pandemic.
Perhaps the most frustrating part is that most of the fraud probably could have been prevented-- and legitimate user accounts left untouched--if better authentication methods had been used. Specifically, authentication methods that go beyond a password or a One-Time-Pin/Password (OTP) were used. The cost of "prevention," in this case, would have only been 1%-2% of the $225 million dollars they were fined.
In this instance, Bank of America only represents the most recent cautionary tale. This is far from the only example of prevention being much more affordable than remediation, but rarely do you find such and extreme disparity. Which is not to mention the "hidden" costs that do not show up on a balance sheet-- increased scrutiny from auditors, loss of customer trust and damaged reputation. How can we forget Uber ($148 million), Marriott ($200 million) or the legendary Epsilon ($4 billion) breach of 2011?
In our next chapter, we'll explore what the best strategies are for preventing your organization from becoming our next cautionary tale. (Here's a hint: it involves FIDO.)
Coming in part 2, a closer look at PSD2 and Strong Customer Authentication.