NASA hacker compensation payment refusal case highlights the high cost of data breach remediation

Reports that a Romanian hacker has refused to compensate the US government for hacking of various government systems comes as no surprise. The case is interesting as the order to reimburse the US government was made in a Romanian court, after prosecutors realised they could not extradite the 27-year-old hacker to stand trial for hacking the servers of NASA, the Department of Energy and the US Navy.

But more than anything, the case brings home the very real costs associated with remediating a data breach. It’s not just the cost of mopping up after the hacker(s), but it’s the cost of putting things completely right after the event.

The US government originally claimed that the cost of remediation came to $1.5 million, which is figure few normal people would ever have paid. They would probably go bankrupt, as it is cheaper in the long run. $240,000 however, is a feasible amount, especially if the person concerned has assets such as a house or a business.

The case should act as a clear warning to anyone involved in IT security management, as it shows the very real costs in solving matters when things go seriously wrong, and an organisation’s IT security is compromised.

It is unlikely that the US government will ever be able to recoup the cost of remediating the various systems breaches caused by the Romanian hacker in the last decade, he explained, but the size of the expenditure involved is almost certainly a lot higher than the cost of deploying effective security to defend the servers concerned.

Good IT security is never as expensive as many people think it is – and will always be cheaper than the very real costs of mopping up and making good after a data breach.

Dr Larry Ponemon, the founder of the Ponemon Institute, has stated many times in his various reports that the real costs of remediating a data breach are very significant. His latest report in March, for example, identified that the cost had reached £1.9 million per incident, a figure that has risen steadily in recent years.

That figure is 13 per cent up on a year earlier, and was up 18 per cent on a year still earlier. A two million pound price tag on a data breach is a lot of money. It’s a lot cheaper to defend an IT platform.

Andrew Kemshall is co-founder of SecurEnvoy. Before setting up SecurEnvoy, which specialises in tokenless two-factor authentication, Andrew worked for RSA as one of their original technical experts in Europe, clocking up over 15 years experience in user authentication. His particular specialty is two-factor authentication in the fields of architecture, design and development of next generation authentication software.