Data Security

This past January, as I've done for the past five years or so, I trekked into New York City's Jacob Javits Convention Center for the National Retail Federation's (NRF) Big Show. I was met, as I was in past years as well, by retailers from around the world. I spent time at this year's conference attending presentations and press conferences; meeting and interviewing retail industry execs in the press room; and walking the vast exhibit hall floors trying to find the "next big things" in retail technology. Here are a few of my takeaways

Q: "I sell merchandise on eBay and via my own site, and have much better sales on eBay. How can I convert those eBay buyers to purchase on my website?"

Target said cyberthieves stole credentials from one of the retailer's vendors in order to access its system, according to an ongoing forensic investigation into a data breach that may have exposed information from as many as 110 million customers. The company said that since disclosing the hack Dec. 15, it cleared its system of the malware that had been planted. "In addition, since that time we have taken extra precautions such as limiting or updating access to some of our platforms while the investigation continues," Target spokeswoman Molly Snyder said in a statement Wednesday.

U.S. banks have spent more than $153 million so far replacing 15.3 million debit and credit cards after the huge data heist from Target Corp., and the numbers are only growing. The Consumer Bankers Association announced the numbers Tuesday, saying that as more retailers announce breaches, the price tag for banks could grow to “hundreds of millions of dollars, and possibly billions.” It’s time for Target to step up to the plate and pay some of the costs for one of the largest data thefts recorded in the United States, the industry group said.

There seems to be an announcement almost weekly that a retailer has been the victim of a cyberattack in which consumer information has been stolen. Has this become the next wave of 21st century white-collar crime as the world of electronic credit and payments opens up companies to more and more thefts of financial information? As hackers’ level of sophistication increases, companies have a harder time even detecting whether computer systems have been attacked and the extent of any security breach.

Michaels, the biggest U.S. arts and crafts retailer, said it's investigating a possible breach on its network and advised customers to check financial statements for fraudulent activity. The warning, which comes in the wake of the unprecedented breach at Target Corp. over the holiday shopping season, suggests that hackers may be attacking retailers in a spree the extent of which is yet to be fully understood. Target last month disclosed an unprecedented breach that resulted in the theft of some 40 million payment card records and another 70 million customers’ records. 

Neiman Marcus said about 1.1 million credit cards may have been compromised in a data breach that occurred last year. Visa, MasterCard and Discover have notified the Dallas-based department store chain that about 2,400 cards used at its stores between July 16 and Oct. 30 were used fraudulently, according to a statement yesterday. Online shoppers weren't affected, the company said. Closely held Neiman Marcus is the second U.S. retailer to announce a customer data security breach. Minneapolis-based Target Corp. has said as many as 110 million customer accounts were compromised during the holiday shopping season by the theft of information. 

Target's data breach may speed up the adoption of more secure credit card technology in this country. Chip-based "smart cards," already used in Europe, are difficult to counterfeit because the account information is encrypted and stored in an embedded microchip. Most point-of-sale transactions with these smart cards cannot be authorized without a PIN code. That's why it's called "PIN and chip" technology. Matthew Shay, president and CEO of the National Retail Federation, has sent a letter to congressional leaders calling on the banking industry to switch from the easy-to-hack magnetic strip to the more secure PIN and chip. 

Target CEO Gregg Steinhafel is calling on retailers and banks to adopt chip-based credit card technology to better protect shoppers. But the debate was different a decade ago, when the executive was on the other side of the issue as Target pulled the plug on a $40 million, three-year program that did just that. Chip-based credit cards, in which a smart chip in the card works with special readers installed at stores, are widely used in Europe and Canada, making it more difficult for thieves to profit from the sort of massive data breach that hit Target over the holidays. 

Target's data breach, which has left tens of millions of payment cards compromised, was carried out using off-the-shelf malware authored by a 17-year-old Russian, according to security firm IntelCrawler. Officials believe that the Target breach was just one of several attacks carried out over the holiday period. Neiman Marcus Group says that it has also been hacked, and a report authored by government agencies and security firm iSight Partners suggests that several other firms could have been hit.