US retailers generate over $200 million in costs from Data breaches

Discount retailer Target loses 70 million customer records in data breach

In a just over two weeks in the run up to Christmas Target Corp (TGT) had a major Cyber Theft where up to 70 million Customer Credit Card details were stolen.  

The Minneapolis based retailer, the second largest discount chain in the US, has generated costs already estimated to exceed $200m according to figures provided by the Consumer Bankers Association and the Credit Union National Association.

 
These estimates include the expenses of card replacement for 21.8 million customers , but exclude any fraudulent activity that would inevitably push the losses far higher.  The data stolen included names, home addresses and email details as well as phone numbers and other personal information.
 
The data theft was achieved through the installation of malware on the firm's electronic point of sale machines, accessed through security flaws in their systems, possibly that connected with third parties derive providers.  This provided the way in for hackers to break in to Target in what may exceed the attack on the TJX group which hit nearly 90 million customers. The attack has been linked to the Citadel malware -- a password stealing program related to the Zeus banking trojan.  While Target was certainly the biggest to be affected reports persist that they were the biggest hit, not the only one!
 
US Federal authorities are working with Target to investigate the attack and attempt to track down the organisers. 
 
Neiman Marcus malware lurked for 6 months undetectedIt isn’t just the discount end of the retail sector that has been under attack. In January, Neiman Marcus, the upmarket retailer was also victim to different hack losing personal data and account numbers of thousands of customers.  
 
It appears that malware had been on their systems since July and indicates the lack of an effective risk management process to manage the Information and Cyber Security of the company. The reluctance of companies to declare breaches adds weight to more transparency being required on the issue. 
 
Doubtless, the Card Issuers will be concerned by the scale of this losses and time will tell what action will result, but it is difficult to see how much longer Information Security failures such as these will be tolerated by the banks and consumers. 
 
Countering the attackers, who are well-equipped, organised and patient.  A key factor in the vulnerability of US systems is that while most of the rest of the whole has moved to chip embedded cards, the US continues to use the magnetic strip. The cost of replacing 100’s millions of cards and millions of readers is expensive, but with the level and scale of costs of attacks rising it can’t be too long before the magnetic strip credit card is consigned to history. 
 
However, while moving to more modern technology is a set in the right direction, it is worrying that so many companies are failing to seriously address the management of Cyber Risk and Security properly.  Pressure for change though is mounting and perhaps the lessons of the past year will help drive a change in Cyber Risk and Information Security culture across the retail sector.