Retail Breaches: Who's Next?
What Institutions Can Do While Awaiting the Next Big BreachFirst Target, then Neiman Marcus; who's next? And while banking institutions await the next attack, how should they respond to customers' anxious questions about this latest round of high-profile retail data breaches?
See Also: Gartner Market Guide for DFIR Retainer Services
According to industry insiders, it's likely more retailers, beyond Target Corp. and Neiman Marcus Group, have suffered breaches that potentially exposed payment card data. But it may take weeks before we get a full picture of this most recent wave of point-of-sale attacks.
Based on what we know of the Target and Neiman Marcus breaches, attackers probably spent months testing vulnerabilities in U.S. POS networks and systems, says Beth Diamond of Beazley Breach Response, a cyber-insurance and risk mitigation provider.
"Hackers may have found a vulnerability one place and capitalized on it in systems elsewhere," she says. "It could be a similar vulnerability from the software or the configuration of the systems. We will know more when we know what the Secret Service has been investigating."
The message to banking institutions: Brace for more card fraud linked to retail compromises. Whether that means simply reissuing all cards linked to a potential attack, or enhancing monitoring of cards identified as being compromised, will vary by institution, experts say.
All institutions, however, should review their cybersecurity insurance options and start working more directly with the card brands and banking associations to ensure they stay informed about any new breaches.
"As soon as a breach happens and customers' information is at risk, banks want to know," says Steve Kenneally, vice president of the American Bankers Association's Center for Regulatory Compliance. "But the chronology doesn't always work like that. So, you just have to keep your eye on all of the accounts."
Latest Developments
Since initially acknowledging its breach via e-mailed statements and social media on Jan. 10 and 11, Neiman Marcus has been silent about its incident. There are no public statements or press releases about the breach on the retailer's website, and the Facebook and Twitter postings have been business-as-usual since Jan. 11.
This silence frustrated some customers. One vented on the Neiman Marcus Facebook page. "Why aren't you releasing more info on the credit card hack?" the customer wrote, adding: "I think it's pretty disgraceful that you've known about the breach since mid-December and didn't tell your customers. We need to know this information to prevent identity theft!"
Target, which acknowledged its breach on Dec. 19, on the other hand maintains steady communication with customers. On Jan. 13, Target CEO Gregg Steinhafel was featured in a CNBC interview, pushing for the implementation of stronger card technology, such as chip cards that would replace cards with magnetic stripes, which are vulnerable to skimming.
"We are not going to sleep until we get it right and we regain the trust of our guests," Steinhafel said. "And we're [going] to be better as a result of this."
In that same interview, Steinhafel confirmed that the breach resulted from malware installed on the company's point of sale registers to steal customer data.
On Jan. 14, Target ran an ad in big-city newspapers in which Seinhafel outlined security steps the retailer has taken. The ad says, for example, that Target "closed the access point that the criminals used and removed the malware they left behind." It also reiterates an offer of free credit monitoring for Target customers.
In the ad, he states, "In the days ahead, Target will announce a coalition to educate the public on the dangers of consumer scams. We will also accelerate the conversation - among customers, retailers, the financial community, regulators and others - on adopting newer, more secure technologies that protect consumers."
Even Macy's Inc. - a retailer that has not been linked to any recent breaches - addressed these incidents, with chairman and CEO Terry Lundgren telling CNBC on Jan. 13 that securing consumer data is a shared responsibility.
"The retailers, the banking industry [and] the credit card industry should be working very closely together to figure out what is the right technology to protect the consumers ... and then work around the solutions from there," Lundgren said.
Payments Under Attack
What is clear from these recent breaches, experts say, is that cyber-attacks against the payments infrastructure are evolving.
"Two years ago, you had a rash of payment processor breaches, Global Payments being one of the larger ones," says Beazley's Diamond says. "The hackers now have gone from the payment processers to the retailers."
In 2013, several smaller retailers were targeted by malware that exploited POS software and network vulnerabilities (see Retail Breach Contained; Fraud Ongoing). These smaller organizations often have less sophisticated and secure systems, which make them prime targets for attackers.
But the Target and Neiman Marcus breaches prove that even some of the larger retailers are vulnerable to attack - often through the point of sale.
Andrew Komarov, CEO of the cybercrime intelligence firm IntelCrawler, says Windows-based POS devices and systems have opened new doors for hackers. "Some POS terminals encrypt communications with the host computer, but some temporary data will be stored in the RAM [random access memory] of the Windows-based PC because of it is memory architecture," he says. "It is impossible to erase it 100 percent."
Cybersecurity attorney David Navetta, a partner at the Information Law Group, says one of the greatest security concerns for the U.S. payments industry is poor POS integration. This is why the Payment Card Industry Security Standards Council has recently focused more attention on training for POS software integrators and PCI education for retailers (see PCI Update: Focus on Third-Party Risks).
Breach Response: Not an Issue
Both Target and Neiman Marcus have been criticized by some for the lag time between when the retailers learned of the breaches and when they acknowledged them. But Navetta says breach response in each case was prompt.
"These were reasonable timeframes for notification," Navetta says. "In Target's case, we now see why reporting a breach too early can create problems. We already see different numbers being reported - first 40 million and now more than 100 million. That is the problem with rushing out to give information about a breach before you have completed the investigation."For banks and credit unions, which are left replacing cards and covering losses suffered in a breach, timely notification is critical, says Carrie Hunt, senior vice president of government affairs and general counsel for the National Association of Federal Credit Unions.
"Financial institutions haven't always received notice of breach in a timely fashion," she says. "Credit unions need to make sure they receive notice of the breach so they can go ahead and do what they need to do to protect members. ... We want to make sure that credit unions have all the information that they need to decide whether or not they need to reissue cards and how they can best protect their members."
What Institutions Can Do
Going forward, financial institutions must push the card brands to increase the frequency under which merchants undergo security evaluations, says Beazley's Diamond. "I think the institutions are already well poised to catch these things, but security at the retail level needs to improve."
Some banking institutions may find it more cost effective, in the long run, to just reissue all compromised cards, rather than monitoring those cards for an extended period of time, she says.
But the ABA's Kenneally says banking institutions must carefully weigh their options. "Some are reissuing all of their cards," he says. "Others are enhancing their monitoring."
And waiting for the next breach headline.