Bob Brewin reports that a class action lawsuit against the Department of Defense and SAIC over the TRICARE breach has been amended after some of the victims discovered fraudulent charges on their credit cards shortly after the theft.
Read about it on NextGov.
The complaint indicates the plaintiffs’ belief that the theft was not opportunistic but targeted.
Frankly, I don’t know how you prove the card fraud was from this theft unless there were accounts that were only used with DOD/SAIC. Given the number of breaches every day – most of which don’t make the media – if you have only a handful of cases out 5 million people whose data were misused for card fraud one month to three months later, that doesn’t sound particularly convincing to me.
What do you think?
In any event, the amended complaint makes for interesting reading and suggests what entities should not do before or after.
Update: Sang points out that the amended complaint is even more puzzling/difficult to prove because there were no credit card numbers or financial information on the stolen backup tapes. Read his commentary here.