On the heels of the largest breach affecting the retail industry at Target, comes yet another breach of credit card numbers and potentially personally identifiable information. Neiman Marcus on Friday January 10th released a statement that hackers may have stolen customers’ credit and debit card information.
What NOT to do when you have a breach.
Since it’s been nearly a month, a review of Target’s crisis management response to their breach shows it isn’t going so well. On December 19th, 2013, Target released a statement giving specific dates, information and number of cards compromised. However, as the investigation unfolds, Target is contradicting these statements and shattering yet again consumer confidence in the process. What’s going on with Target and the investigation?
- Originally Target revealed that 40 million credit card numbers were compromised, however they underestimated the severity (not once but twice!), and now state that possibly another 70 million records were compromised—a total of 110 million records breached!
- Target originally released statements that debit card numbers and PINs were not compromised or if they were, they were encrypted. Then we found that the hackers are using debit cards and PINs to withdrawn money from victims in the attack. So either they spoke too soon or maybe they are using the RSA’s broken encryption algorithm (thanks NSA).
- Target also originally released that only credit/debit card information was stolen, now they say that e-mail addresses, home addresses and various other personally identifiable information was compromised.
On the heels of that unfolding mess, did Neiman Marcus learn anything from Target’s botched crisis management? Maybe. Neiman Marcus is confirming a breach, but not offering specifics until further investigation is conducted.
Is this the same group that hacked Target?
With the dates of the two breaches so closely related are these events correlated? It’s hard to tell (as very little information has been released on how the breaches occurred), but given the same industry (retail), with the same target (credit/debit card information), and with the same time frame (December), one can only suspect that these two breaches may be related.
What or who is next?
Your guess is as good as mine, but one thing I can say, expect the retail industry to be under scrutiny in 2014. If you are in security for the retail industry, chances are you are going to be busy. For years we have seen the retail industry simply complying with Payment Card Industry (PCI) minimum standards, with spending levels deteriorating once compliance is meet. In October of last year, SecureState hosted a webinar on PCI 3.0 and proof of compliance; in the webinar we outlined changes for PCI and a shift to effective controls versus compliant controls. The below graph illustrates the trends for 2014 and beyond. It is highly unlikely that either organization had effective and compliant PCI controls in place during the breach.
Why is this happening?
Most customers I talk to are asking what they can do regarding the breaches. Frankly the credit and debit card infrastructure of the U.S. is archaic. The credit card system dates back to the 1960’s, and really very little has changed with the actual cards we use today. While the infrastructure is more robust and offers more convenience to consumers, the security surrounding credit cards is barely keeping up with rapid technological changes and emerging threats.
What can you do as a consumer?
Here are the top three things you should do today:
1) Check your credit report and then your credit card statements often. Any fraudulent charges on your credit card statements will be reversed; your credit history is another story. Reversing bad or fraudulent loans on your credit report is not easy, nor will Target or Neiman Marcus be willing to help.
2) Do not use debit cards at retail stores. When asked to enter your PIN, press the credit button. Why? Credit cards are insured, but your bank account and withdraws are not (relative to fraud). If a hacker has your debit card number, PIN, and personal information about you, they can call your bank and request another credit card or withdraw money from your account. If you did use your debit at these retailers, change your PIN immediately.
3) Stop shopping at these retailers. The best way as a consumer to have these companies take breaches serious is to stop shopping. Generally, when breaches occur companies stock price is rarely affected, meaning they don’t feel the pain they caused millions of customers.
Cheap vs. good identity protection programs.
Companies that have been breached will offer identity theft protection. However these are watered down and just a cheap version of what you should have. Get your own. They cost around $10/month, and have family plans. I recommend Quizzle, and would stay away from LifeLock.
With class action lawsuits being filed against Target, and Congress demanding action (including the Federal Trade Commission (FTC) to step in with sanctions), we can only hope that security will be taken serious in 2014.