Breach risk a retail reality
Target, eBay, Michaels Stores, Neiman Marcus, P.F. Chang’s and SuperValu — the parent of Shoppers Food & Pharmacy. It reads like a who’s who of American retail and dining, but it’s also a list of companies that lost customer data to cyberattacks in the past year.
Data thieves are striking with alarming frequency and, more and more, security experts say, they target the places where people shop.
The swipe of a credit card, the wave of a mobile phone at Starbucks, logging into retailers’ sites via Wi-Fi — increased connectivity, from mobile devices to cloud computing, has opened the door wide for cybercriminals.
Reports of data breaches, relatively rare even five years ago, crop up constantly. Cyberattacks are growing in size, too, with tens of millions of consumers potentially facing the prospect of having their identities or credit or debit card account information stolen. One breach of 100 million records or more has been reported in each of the last four quarters, according to SafeNet, a data security company.
“People connect from everything to everywhere, and there’s no perimeter anymore,” said Tsion Gonen, SafeNet’s chief strategy officer.
Criminals target retailers because they have access to vast quantities of sensitive information, such as credit card data, through online and in-store payment systems.
“It’s incredibly pervasive and almost unfair to single out specific retailers, because it’s just so pervasive,” Avivah Litan, a security analyst at technology research firm Gartner. “Some of them are disclosed and a lot of them aren’t. Some don’t even know they are breached. It’s an epidemic.”
Through July this year, more than 385 million customer data records were stolen worldwide. Nearly 40 percent of all records stolen were from retailers, who were harder hit than the financial, technology, government and health care industries. (Though last week, JPMorgan Chase & Co., one of the nation’s largest financial institutions, said its sophisticated threat-detection system missed a huge breach of its systems, resulting in the loss of customer data this summer.)
During the first half of the year, retail breaches nearly tripled to more than 150 million records stolen compared with the first half of 2013, according to SafeNet, which tracks cases through its Breach Level Index — a database of breaches that calculates their severity.
Cybertheft is often difficult to trace and perpetrators can be nearly impossible to locate — especially outside the United States. And the underground market for stolen credit card information is thriving, Gonen said.
The average consumer hears about a big retail breach and assumes the company failed to protect itself, Gonen said. But that’s not necessarily true.
“Everybody gets hacked” or has the potential to be victimized, he said, including “people who customers trust and data is their business.”
In May, eBay announced that 145 million customer accounts were exposed by hackers. In April, Michaels Stores reported that credit card information for 2.6 million customers may have been stolen over a period of months starting last year. In January, Neiman Marcus confirmed that 1.1 million customers’ card information was stolen.
Just this month, P.F. Chang’s, SuperValu and UPS Stores reported data breaches. P.F. Chang’s, an Asian-inspired restaurant chain, said it lost an unknown number of records from 33 locations between April and June. UPS said 51 stores in 24 states were breached.
The SuperValu breach affected an unknown number of customers at 180 stores. SuperValu said its breach occurred in the computer network that processes payment cards at some stores, where account numbers, expiration dates and/or cardholder names could have been stolen.
Consumers may not be able prevent credit or debit card fraud, but they can take steps to protect themselves and minimize damage, the Federal Trade Commission says. Shoppers should save receipts to compare to statements, review bills online right away or often, and report any questionable charges to the card issuer, the FTC suggests. Retailers that get hacked typically offer free credit monitoring services to their customers.
Companies that are breached often hire security firms to investigate and contain the breach to allow shoppers to continue using their cards.
One of the largest breaches in history occurred in November and December at Target, where the payment card data of 40 million shoppers and personal data of 70 million shoppers were stolen.
John Mulligan, Target’s chief financial officer, told a U.S. Senate committee in March that the company believes “intruders” obtained an HVAC vendor’s credentials and somehow moved into the retailer’s network to place malware on point-of-sale registers. The software apparently captured payment card data from the magnetic strip of credit and debit cards before they were encrypted within the system, Mulligan said.
Target later found that levels of fraud were less than expected. During testimony to the Senate Commerce, Science and Transportation Committee, Mulligan said the Target-branded REDcard had only a 0.1 percent increase in fraud after the breach.
Shoppers “should feel confident about shopping at Target,” Mulligan told the committee. “We work hard to protect their information. But the reality is we experienced a data breach. Our guests expect more and we are working hard to do better. We know this has shaken their confidence and we intend to earn it back.”
After a breach, retailers struggle to regain customers’ trust, even though the perception of damage may be greater than the actual fraud, Gonen said.
A SafeNet consumer study found that nearly two-thirds of 4,500 people surveyed in the United States, United Kingdom, Germany, Japan and Australia said they would never, or were very unlikely to, shop or do business again with a company after financial data was stolen. Target sales initially took a hit after its data breach, but appear to have rebounded in recent months.
Target’s situation was unique in that the data stolen came from its offline point-of-sale system, rather than where the data is stored, Gonen said.
Attackers typically look for “the point of least resistance and try to take advantage of it,” Gonen said.
He contends that many companies have a flawed approach to cybersecurity, focusing too heavily on breach prevention, such as firewalls or antivirus programs — “the technological equivalent of airport scanners” — at a time when “there’s no one perimeter,” he said.
SafeNet directs its clients to accept that a breach can happen, use technology to help detect breaches earlier and better understand potential vulnerabilities, and work to minimize the impact once a breach has occurred.
A growing part of SafeNet’s business — across retail, government, health care, technology and other industries — is data encryption, technology to make stolen data unreadable and thus worthless after cybercriminals break into a corporate network.
Within the credit card industry, little data is encrypted besides personal identification numbers and there is no standard approach for encryption, Gartner’s Litan said. She said Visa and MasterCard are moving toward using an encrypted chip instead of magnetic stripe.
The United States has lagged behind other countries in moving to the EMV cards with microprocessors, but most credit card companies expect to shift to the newer technology by next year and some merchants already have the technology in place.
“There are a lot of shotgun approaches,” Litan said. “They should be putting in a standard solution.”
The threats are prompting retailers to boost their information technology security funding.
A global security survey released this month by Forrester Business Technographics showed 41 percent of retailers surveyed increased funding in the wake of recent high-profile cyberattacks.
Publicity over breaches have made consumers more aware and careful with their information, Gonen said.
“People won’t click every link or open every email,” he said, but often convenience wins out.
“Everything is online. You can’t live without a credit card.”