ELLISVILLE, Mo.-- Industry ramifications from the second-largest data breach in retail history with department-store giant Target Corp. in recent weeks may play out in the form of a letter from credit-card companies demanding retailers show efforts toward compliance to certain data-security standards, said one consultant focused on risk assessment.
More specifically, midsized operators with anywhere from 50 to 200 stores present what card companies believe to be one of the highest risk opportunities for future breaches, according to Shekar Swamy, president and senior security strategist for Omega ATC, Ellisville, Mo.
“Acquiring banks are taking a more proactive stance and are increasing the level of security in midsized retail operations,” Swamy told CSP Daily News in an exclusive interview, noting how convenience stores are complex retail environments with many points of potential breach, including registers, dispensers and automated teller machines (ATMs). Though single-store operators may have less resources and are vulnerable to skimming-type breaches, the payoff for hackers is smaller. “[Banks] see that so much needs to be done by midsized operators.”
Many midsized chains falsely believe that password-protected systems are sufficient, and that beyond that safety net, oil companies or larger third parties will ultimately come to their rescue. Both scenarios are misguided, Swamy said.
Swamy characterized the breach that occurred at Target this past Thanksgiving through mid-December—eventually involving 40 million cardholder accounts—was sophisticated and executed with “patience.” As a result, the payoff needs to be high. That’s why major retailers, as well as midsize chains, must consider themselves valued marks for data thieves.
In the Minneapolis-based Target case, the breach involved malware that hackers were able to place into the company’s point-of-sale (POS) system. The cardholder data, as well as encrypted debit-card personal identification numbers (PINs), were taken undetected during that two-week period. Swamy said networks at most chains are centrally connected, providing the opportunity for an opening, with “remote access” being the most-used method by hackers. Often the malware can sneak data out in small batches over time or can collect the data to be removed in a single extraction.
Going forward, Swamy said, movement toward chip-based plastic and even mobile payments are going to present retailers with additional security issues and ultimately cost. With the chip-based technology, or Europay MasterCard Visa (EMV), he said, retailers are balking against credit-card company mandates, especially having to spend millions industrywide to comply with standards just a couple of years ago. That said, he added that overall, payments at c-stores will evolve and the data security question will not go away.
For instance, with mobile payment, Swamy said the security question runs both ways—with concerns on both the consumer and retailer sides. He said customers want to know that only the required information is pulled from their mobile devices during transactions, while on the other hand, retailers need to be confident that those same devices aren’t siphoning data from store systems.
“We have seen iTouch devices used in stores to connect into networks,” Swamy said, with some of those instances involving store employees. “Are there answers? Yes. But it does require a degree of thinking and investment to protect consumers and the retailers themselves.”
Fallout from a breach will likely hit a chain on many fronts, Swamy said. Not only will that chain be liable for a degree of the fraudulent purchases, but damage in terms of customer confidence and the time and resources necessary to field inquiries from a concerned public can be an unexpected drain. Swamy said by his firm’s account, it takes four years for customer confidence to return to normal.
Then there are at least 44 states where the loss of personal data becomes a government issue, resulting in class-action lawsuits from state officials.
In the case of Target, Gregg Steinhafel, its chairman, president and CEO, published a letter to customers acknowledging the breach and assuring them that the chain was taking the crime seriously.
“We understand that a situation like this creates stress and anxiety about the safety of your payment-card data at Target,” he said in a letter posted on Target’s website. “Our brand has been built on a 50-year foundation of trust with our guests, and we want to assure you that the cause of this issue has been addressed and you can shop with confidence at Target.”
That letter spoke to its customers directly and revealed key facts:
- The unauthorized access took place in U.S. Target stores between Nov. 27 and Dec. 15, 2013. Canadian stores and target.com were not affected.
- Even if you shopped at Target during this timeframe, it doesn’t mean you are a victim of fraud. In fact, in other similar situations, there are typically low levels of actual fraud.
- There is no indication that PIN numbers have been compromised on affected bank-issued PIN debit cards or Target debit cards. Someone cannot visit an ATM with a fraudulent debit card and withdraw cash. [Editor’s Note: Target subsequently acknowledged that encrypted PIN information was part of the data stolen in the breach.]
- You will not be responsible for fraudulent charges—either your bank or Target have that responsibility.
- We’re working as fast as we can to get you the information you need. Our guests are always the first priority.
- For extra assurance, we will offer free credit monitoring services for everyone impacted. We’ll be in touch with you soon on how and where to access the service.
Framingham, Mass.-based TJX Companies, which runs discount retail chains T.J. Maxx and Marshalls, suffered the worst instance of retail hacking back in 2005 and lingering into 2006, when data thieves accessed at least 94 million accounts containing credit-card, debit-card and check information.
The c-store industry had a confirmed breach this past spring with Brentwood, Tenn.-based MAPCO. “Our first concern is our customers,” said Tony Miller, vice president of operations of MAPCO. At the time, Miller issued a statement saying: “We regret any inconvenience this criminal act by hackers may have caused and are enhancing our information security efforts to combat future information security threats. Through our internal investigation and collaboration with forensics security firms, we have disabled the malware that was used in this incident while establishing additional safeguards designed to prevent this from happening in the future.”
The MAPCO incident involved credit-card and debit-card payments for transactions at MAPCO locations between March 19-25, April 14-15 and April 20-21, 2013.
Upon discovering the issue, MAPCO said it took immediate steps to investigate the incident and further strengthened the security of its payment-card processing systems to block future information security attacks.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.