Retail Data Breaches: 3 Lessons Companies Have Learned
The holiday shopping season is in full swing, it’s ‘Cyber Monday’ and retailers need to take extra precautions.
Although the retail sector has by no means seen the greatest frequency of cyber attacks in recent years, several that have occurred have accounted for a huge percentage of the records actually stolen.
Compounded with the sensitivity of the information typically taken in such a breach (credit card details, passwords and personal information) and its appeal on the black market, major breaches such as those at Target, Home Depot and eBay in recent years have landed concern about commercial data security — and questions about who should be held liable for failures — front and center in the minds of retailers and consumers alike.
What can be done about the security of customer information? How are criminals slipping through seemingly secure systems? What can be done to thwart them? And who is responsible for the resulting financial losses when these efforts fail?
As the holiday shopping season gets underway, let’s take a look at three of the major retail data breaches in the past few years to see what we’ve learned:
1. Target and Home Depot lesson learned: Vet your third-party vendors
According to cyber crime reporter Brian Krebs investigations found that the Home Depot registers involved in the attack were infected with a variation of the same malware found on compromised Target registers. This software is designed to grab data from cards swiped at an infected point-of-sale system. In both cases, criminals accessed the retailers’ networks through that of a third-party vendor. Once in, the criminals were able to exploit a vulnerability in Windows, the operating system running the registers, to upload the malicious program.
Going after corporate data through vendors or less-protected subsidiaries is becoming a more common practice of cyber criminals. Smaller vendors and recently acquired smaller companies sometimes struggle to keep on top of data security. Organizations whose systems contain the personal and financial data of millions of customers have a responsibility to vet the vendors they work with (and the companies they acquire) meticulously to ensure that digital security protocols are up to standard and are enforced. Vendors and employees should only be able to access what is necessary for them to carry out their work, and the security measures on their own systems should be robust and reliable.
What makes for a robust and reliable protocol? Here are some things to consider:
- Procedures for granting and removing access to employees should guard against unauthorized access to the company network.
- Monitoring of security logs must be routine and consistent to ensure that attacks or breaches are identified quickly.
- Companies should have a password security protocol and it should be enforced. Employees should change passwords regularly and be well-educated on the importance of password security, the methods criminals use to acquire login and password information and how to create a secure password. Two-factor authentication is a great indicator that a company takes password security seriously.
- Bring-Your-Own-Device policies should be clear, comprehensive and carefully enforced.
- Companies should ensure that the connection between networks is entirely secure. If sensitive data is being passed back and forth, make sure both you and your vendor have the capability to properly encrypt it.
- Adequate firewalls, anti-virus and anti-spam software should be in place and kept up to date. Don’t forget the security of physical terminals — all the data protection in the world is useless if someone can access the system on-site or pick up hardware that hasn’t been properly decommissioned.
- There should be a process in place for ensuring that frequent patches from software vendors are applied as soon as they are made available.
We in the insurance industry have long been advised — and often required — to vet third-party vendors regularly and carefully. It has now become clear that retail organizations would do well to follow the same advice.
2. eBay lesson learned: Data protection at all levels must be prioritized
A report from the International Business Times following the 2014 attack on eBay’s network indicated, with regard to an investigation by the relevant regulatory bodies:
Of particular interest will be the lack of encryption used to protect customer names, email addresses, physical addresses, phone numbers and dates of birth. Investigators will also analyze why it took eBay nearly three months to detect the hackers, how long it took to fix the breach and how long the company waited to notify authorities and customers.
Recent increases in identity theft and new account fraud tell us that encrypting personally identifiable information can be as important as encrypting financial information. Breaches like the one at eBay highlight how difficult it can be to detect attacks if the right systems are not in place to make sure relevant data is reviewed in a timely manner. Just like any other business process, log reviews, protocol revisions and security updates can become an automated part of a company’s workflow. Well-thought-out systems help to ensure that every feasible measure is taken to protect sensitive information and that new protocols are smoothly integrated as new threats arise and new solutions are found.
Cyber crime is advancing quickly. It is imperative that companies move plans for pervasive data security systems from the “intention” stage to the “in action” stage, and quickly.
3. PNI Digital Media lesson learned: Get the board on board
PNI is a company that operates an on-demand photographic printing service for CVS, Sam’s Club, Costco, Rite Aid, Wal-Mart Canada and others. So far, relatively little is known about the PNI breach, but there has been much speculation as to how it happened, why it was allowed to happen and why it went undetected for nearly a year. We don’t like to give too much credence to speculation; however, the theories put forward can give us some insight into some of the overarching problems of data security, as identified by cybersecurity experts.
When news of the PNI breach broke in July of this year, Brian Krebs noted that the company had been acquired by Staples Inc. around the time that the breach is thought to have been initiated. This was worth mentioning because Staples itself had suffered a breach in mid-2014 that went undetected for some six months and exposed more than a million customer credit card records. This may or may not stand as evidence that the company is giving inadequate attention to cybersecurity, but it does seem to indicate that boardroom support for Internet security efforts is one of the problems security experts have identified.
This has been highlighted by the recent breach at Experian that resulted in the theft of personally identifiable information records — including Social Security numbers — of 15 million T-Mobile customers. During his investigation of that case, Krebs interviewed several security experts who had left the Experian security team specifically because the folks at the top refused to dedicate adequate resources to securing the credit bureau’s extremely sensitive digital files.
Following the massive breach at Target in 2013, similar concerns were raised, and, in the end, the company’s chief information officer resigned. A new CIO, chief information security officer and chief compliance officer were sought to take her place. Whether more leadership at the top is a solution to the problem remains to be determined, but the need for the C-suite to understand and keep a watchful eye on its digital security protocols is becoming clear.
4 cyber security tips for retailers
Here are four tips for retailers on maintaining cyber security, based on some recurrent themes that have emerged from the retail data breaches.
>> Educate employees
Cybercriminals have become particularly fond of phishing to gain access to otherwise secure networks. With a little social media skulking and email contact, they are able to obtain much of the information they need to access login and password information that grants them broad access to corporate networks. Employees have to be informed of the methods criminals use to obtain this information. From clerical workers to the CEO, every employee and vendor needs to understand basic preventative measures — such as how to recognize a phishing attempt or how to create and maintain a secure password — and corporate policy needs to make clear the necessity of following security protocols.
>> Get help
Another theme that seems to recur in cyber crime prevention conversation is the possibility that data security may be a task best left to experts. Even in very large companies that can afford to maintain full security teams, those teams often struggle to acquire the resources they need in a timely manner, because their success is generally not the top priority for the company. A security agency, on the other hand, relies on this strength to stay in business — this is their core competency. In addition, external agencies are able to be more objective about how to prioritize security and to draw on a broad range of experience and a much deeper well of knowledge.
This is one of the benefits companies seek in migrating to the cloud. A reputable cloud host is well aware that the security of its servers and its ability to protect the data entrusted to it is indispensable if it is to compete and survive. As a consequence, cloud servers will likely be some of the most secure places to store data into the future.
>>Crackdown on cyber criminals
Opinions are divided on whether governments are really in a position to stem the tide of cyber crime, which is by its nature heedless of national borders. Nevertheless, some experts believe governments will have to become more involved in the investigation and criminal prosecution of cyber crime. Without such a large, international effort, they say, the cost of securing data and recovering from attacks will eventually outstrip the benefits of conducting business in cyberspace. Suggestions include an international governing body that would work not only to stop cybercriminals, but also to regulate security measures, requiring companies around the world to adopt a universal baseline of prevention and detection methods.
>>Make individual cyber hygiene a habit
The time has come for all of us to accept that we have to step up our personal online protection if we want to keep our financial and personally identifiable information safe from criminals. Just as we once had to accept that we should lock our doors and keep the children in the yard, we now have to realize that certain inconveniences such as using a different password for everyonline service and storing those passwords in a secure app or, better yet, in our memories, must become a matter of habit. Credit card and loan offers that could once be discarded with the junk mail should be shredded, and credit card statements need to be reviewed every month. Individuals have to be more diligent about avoiding emails from unfamiliar addresses or clicking on mysterious links. Even phone calls that seem to come from benign solicitors or even familiar institutions like banks and workplaces may be phishing attempts.
The more consumers are acquainted with methods to protect themselves from fraud and identify theft — and the consequences if they choose not to — the fewer claims a company has to cover and the less a store loses on fraudulent purchases that no one — not the credit card holder, the credit card company nor the credit card fraudster — is going to pay for. What’s more, customers who know they have protected themselves will have greater confidence in the security of their information as they venture out to make purchases. A better informed consumer will always be a benefit to the market.
The time has come for everyone to recognize cyber crime as a serious threat to economic security for both individuals and corporations. We may not yet know how to shut down cyber criminals completely, but there is a long way to go before we can say that we have done all we can.
by Lance Spellman – Property Casualty 360