By Steve Viuker
The massive credit and debit card breach at Target over the 2013 holiday season was only the largest of almost two dozen similar data breaches over the past year alone. But it’s the one that finally got the attention of both the banking and the merchant world to focus on the costs and consequences of a massive payment system that’s vulnerable to smart teenagers and the lack of vigilance on the part of employees and vendors.
According to various initial reports, the malware used to hack into Target’s credit card system may have been written by a 17-year-old Russian, although investigators were doubtful the programmer was involved in the actual security breach. Andrew Komarov, CEO of cybercrime firm InterCrawler, posed as a cybercriminal and chatted with the teen, and said the hacker told him he would sell him the malware for $2,000 or 50 percent of all intercepted credit cards. In an email to its Canadian customers, Target said that Canadians who crossed the border to shop in the U.S. between Nov. 27 and Dec. 15 could have had their personal information stolen. Target noted that credit and debit card information wasn’t stolen from stores in Canada, which is among the many countries that use more secure chip-based credit cards.
Target, the nation’s third-largest retailer, issues proprietary debit and credit cards known as the “Target REDcard.” The credit and debit versions of the Target REDcard were also impacted along with most credit cards used at Target stores during the breach. Attackers began skimming data from credit and debit card transactions at Target’s cash registers beginning Nov. 27 and continued to do so until the breach was shut down on Dec. 15.
The software also found its way to another Target system where it stole personal data such as email addresses and phone numbers for 70 million people.
Subsequently, The Wall Street Journal reported that the Target breach was facilitated by the use of stolen vendor electronic credentials. Target confirmed the report but did not reveal how the credentials were stolen or what portal the hackers used. The company did say it has limited access to some of its computer systems during an ongoing investigation.
Advanced hackers often try to take advantage of low-level employees or outside contractors. They then move laterally through networks to gain access to more valuable information, in this case payment card data.
The Federal Bureau of Investigation said it has identified around 20 cyberattacks in the past year similar to the one that hit Target. The U.S. Secret Service is taking the lead in the investigation into the attack on Target and other retailers, but as of the end of January, had said little publicly since the breach.
Big Distress Downstream
Saying that safeguarding of customer information is central to maintaining public trust, Independent Community Bankers of America President and CEO Camden R. Fine called on Congress to take action to mitigate the negative impact on the public of security breaches. Additionally, ICBA called for a single national standard to replace the patchwork of state laws on data security breaches that fosters confusion and puts consumers at risk. The association said it strongly supports notification to allow consumers to take steps to protect themselves from identity theft or fraud resulting from data breaches.
The data security breach has cost credit unions between $25 million to $30 million; according to preliminary results of a survey by the Credit Union National Association. In addition, more than one in three credit unions report having to increase staffing as a result of the breach, and 38 percent of credit unions reported call volume from members increased 10 percent to 25 percent after the breach.
Said Scott Tangney, executive vice president, financial and professional services at New York City-based Makovsky Integrated Communications, warns that cyber break-ins will push consumers to other retail brands and will shake customer confidence in online sales. “Will consumers increasingly hold retailers accountable for this type of situation and the speed and course of action taken?” he asks. “Will regulators force retailers to have a certain level of cybersecurity program in place? How will the payments industry respond?”
Tangney notes that the open letter from Target CEO Gregg Steinhafel, published in newspapers and on the company’s website was straightforward “and hit some good points,” but did not cover the steps the company will take to prevent another data breach. “Yes, it was a criminal act, but if you leave the keys in your friend’s car and it gets stolen, don’t you have some accountability?”
For Dave Kowal, the breach cuts two ways. “As a credit card holder, I feel fortunate that my credit card company addressed the matter quickly and efficiently. As a public relations professional, I believe Target has a lot of work ahead to restore its reputation. Target also needs to make a major investment in security to prevent such a breach from occurring in the future and it needs to publicize its efforts.”
Alan Towers, a senior consultant at Water & Wall Group said, “Based on the sterile messages in Target’s public advertising, litigation protection, not reputation recovery, appears to be Target’s priority. While this may help reduce costs, it further damages the retailer’s credibility with its shoppers. Too often, the near-term certainty of litigation prevails over longer-term reputation damage with customers. This could well be a costly miscalculation in reputation management. My advice to Target: accept responsibility, coddle both the banks and customers and win back your reputation. If lost, it will be harder and more expensive to recover than the writeoffs.”
The National Retail Federation declined comment to Banking New York in January, but published an open letter to House Speaker John Boehner and Senate Majority Leader Harry Reid on January 21, calling for the payment card industry to adopt PIN and chip technology now used in Europe, Canada and many other countries. The NRF also called for a federal cyber-security law to allow the sharing of information about cyberthreats, and also, called for a uniform federal breach notification law to allow retailers to focus on a single compliance regulation and to give consumers around the country a uniform, consistent law to protect their rights.
Thinking About the Next Move
Electronic Transactions Association CEO Jason Oxman told Banking New York in January that the Target breach could not have been prevented by the use of EMV cards alone (EMV is short for Europay – Mastercard – Visa, the three entities that developed the chip and pin standard used in Europe). “It’s too early to be pointing fingers,” he said. “Target has taken responsibility for the breach of its systems. The lack of chip technology has been cited as the reason the Target breach took place. The Target breach, from what we know, was an internal breach of Target’s system and had nothing to do with EMV and would not have been prevented by EMV cards. EMV makes it harder for criminals to use stolen information to manufacture stolen credit cards but it doesn’t prevent breaches such that happened at Target or Neiman Marcus. Target maintained its customer information in an unencrypted form.”
According to FierceRetail.com, cybercrime firm InterCrawler confirmed in mid-January that at least six unnamed retailers have been hit with data breaches similar to Target’s. Those merchants use POS systems infected with the same malware used in the Target breach. InterCrawler has reportedly alerted law enforcement, Visa Inc. and intelligence teams at several large banks regarding the discovery. A report from iSIGHT Partners, titled “Indicators for Network Defenders,” maintains that the malware used to extract personal data from POS terminals at store check-outs was “almost certainly derived” from BlackPOS software that contained malware scripts with Russian origins.
“The issue of credit card data theft is larger than any retailer, any bank, and even than any country. It is transnational, trans-industry, and growing rapidly,” said Davia Temin, president of Temin and Company. “It is a powerful form of financial terrorism. The remedies to the problem need to transcend specific companies and industries. That means cooperative efforts of government law enforcement, across borders and in cooperation with private security. I do doubt that governments will have the resources to help banks with costs, however. Bank “bailouts” are such a red flag to the public that I doubt that there is an appetite for the government to help subsidize banks or retailers for their losses. The real solution will only come through multiple-party cooperation to help identify and stop the behavior, as well as [to] find technological solutions to lessen the impact of the theft.”