January 16, 2014
Target reacted swiftly to its enormous data breach, but the chain is far from the only company scrambling to mitigate damage from the online assault, retail and security experts say.
“Every retailer on the planet now considers themselves under attack,” said Robert Siciliano, online security expert at McAfee, a computer-security software company.
Target reported in December that criminals had gained access to 40 million shoppers’ credit- and debit-card information on Nov. 27 — the day before Thanksgiving and just ahead of one of the busiest shopping days of the year — and maintained access through Dec. 15.
Last week, Target said that additional data had been stolen, affecting as many as 70 million customers.
Luxury retailer Neiman Marcus also reported last weekend that hackers stole credit- and debit-card information from as many as 1 million customers and made unauthorized charges over the holiday season.
The security breaches have left those retailers with a huge and costly problem as they work to remedy things for affected customers.
Judy Smith, 60, of Columbus, still shops at Target, but her trust has been shaken.
“We probably don’t hear about all the breaches that happen,” she said. “I’m leery about all shopping now.”
To address those concerns, Target has emailed customers about the data breach and taken out full-page ads in major newspapers, including The Dispatch, apologizing for the problem and pledging to make things right. Target sent out another email yesterday, following up on previous alerts.
Overshadowing the immediate mop-up situation, however, are the larger questions of who did it, how they did it and how similar attacks can be stopped.
“Whenever there’s a crime of this magnitude, I don’t think the public is ever relieved until they catch the guys who did this,” said retail analyst Chris Boring, principal at Boulevard Strategies.
Several local retailers declined to comment on their practices or concerns, but their trade group, the National Retail Federation, is pushing hard for remedies.
“The bottom line is we want the payment system to be secure,” said Mallory Duncan, the federation’s general counsel. “It’s no value to us or customers to see these kinds of problems. Under the current system, retailers have to eat a lot of fraud costs.”
The cost is staggering. Credit- and debit-card fraud resulted in losses of $11.27 billion during 2012, according to the “Nilson Report,” a newsletter focusing on the payment industry. Card issuers incurred 63 percent of the losses, while merchants bore the other 37 percent.
“We want to see that fixed,” Duncan said, “but that means a fundamental change to the way cards are designed.”
Credit cards in the United States use a magnetic stripe that contains cardholder information. But most of the rest of the world has upgraded to cards that contain a microchip — a far-more-secure technology, Duncan said.
Combining the microchip with a PIN — personal identification number — for each card would make cards much more secure, Duncan said.
While the move to upgraded cards is needed and expected to happen by next year, it might not solve problems like the ones that affected Target and Neiman Marcus, security expert Siciliano said.
“My understanding of Target security is it’s rock-star quality,” Siciliano said. “They did everything right. This goes way beyond that. It’s much bigger than (card technology).
“But (the criminals) would have compromised the data regardless of whether it was old or new technology,” Siciliano said. “They reached the data via point-of-sale terminals. What we’ve been told is that malware was stored somewhere in the system, so if the data has been breached beyond the card, it doesn’t matter what kind of card it was.”
This is the reason, he said, that retailers are now combing through their data systems, looking for hidden malware.
How did criminals breach Target’s highly rated data security and manage to infect the retailer’s computer system?
“It’s the human element that ultimately makes us vulnerable,” Siciliano said.
Target and Neiman Marcus likely were the subjects of an advanced persistent threat, or APT, “where criminal hackers work 24/7, 365 days of the year to penetrate a particular network,” he said. “These criminals look at entire infrastructures and do their best to scientifically figure out exactly what’s in place, what kind of security envelops that infrastructure.”
If the criminals determine that a company’s infrastructure is essentially bulletproof, next they’ll target employees who are responsible for maintaining the networks.
By looking at employees’ social-media profiles, criminals can glean personal information. “Maybe they’ll find out whatever Cub Scout troop their kids belong to,” Siciliano said. “So, they’ll send that person an email saying, ‘Troop 606 has been chosen for a charity event. Here’s a link to that charity.’”
The idea is to get that person to click on the link, which then will infect the Target employee’s home PC. If the Target employee logs in remotely to access Target’s security network, the criminals have successfully found their way past all of Target’s otherwise elaborate security precautions.
Target has not disclosed how the data breach occurred. However, the retailer’s email to customers yesterday did include this cautionary note: “Don’t click links within emails you don’t recognize.”
While retailers scramble to secure their data systems, can customers who use credit cards do anything to boost security?
“Ultimately, security involves paying attention to your monthly statement, or weekly via online statements or daily via applications,” Siciliano said. “That’s what I do. I look at all my charges every day.”
For Target, the cost of litigation, issuing new Redcard credit cards and other expenses could push the company’s earnings down by 20 percent, retail analysts have estimated. Target said earlier this week that it would spend $5 million to communicate with its customers about the data breach.
“Target is doing just about everything that it can to handle this crisis,” said retail analyst Boring. “They’re being open and honest about what happened and what the next steps are.”
Even with the effort, the Redcard program “is done for them,” Boring said, referring to the company’s own credit card. “I think they’ll have to replace it with something else.”
All retailers struggled with a lackluster holiday season, but “the news about the data theft could cause additional (sales) softness,” said Kimberly Noland, director of high-yield research at Gimme Credit, an independent corporate-bond research service.
While earlier data breaches “were mostly shrugged off within a few months,” the Target and Neiman Marcus situations might be different, Noland said in a note to investors.
Carlos Gutierrez, 39, of Columbus, has experienced credit-card fraud, although he wasn’t a victim of the Target breach.
“My wife was checking her credit-card activity this morning just to be safe,” he said. “We can see now that it can happen to anyone. You should protect yourself and move on.”
Dispatch Reporter Jessica White contributed to this story.