Sounding Board: Securing security
By Len Lewis
Security breaches may not be the fault of retailers, but more often than not consumers will view retailers responsible. The massive pre-holiday data breach at Target, which stole information from 40 million shoppers, is enough to shake up any true believer of data security. It was second in size only to the 2005 breach at retailer TJX which impacted more than 45 million customer credit and debit accounts. That story is continuing to evolve thanks to “phishing” scams promising victims it will never happen again if you just give them a little information like credit card details, birth dates and social security numbers. None of this is new, but everything is done on a larger scale thanks to hackers who always seem to be one step ahead of their prey. It is an old story—build a 20-foot wall and someone will build a 21-foot ladder. Now, there is something called “ransomware.” Hackers use malware to lock you out of your browser and demand payment for releasing it. I had this experience two days before Christmas. I was researching a story when my system froze and a picture of an angry Barack Obama pointing his finger pops up. I was then instructed to go to my local Rite Aid drugstore to purchase a particular cash card and where to send money in order to get my browser unlocked. I didn’t. But these ransom demands are becoming increasingly common, with Dell security reporting that just one of these sites took in $30 million in just 100 days. Security experts are concerned about more cyber blackmail this year and a potential move to mobile devices, which, according to some observers, lack even basic security. If customers are browsing on your site when something happens, who do you think they are going to blame? These are just day-to-day occurrences but it begs the question of whether true data security is just a myth. The fact is that the entire U.S. has become a high value target for hackers around the world because we have lagged behind other countries when it comes to issuing smartcards with embeddable microchips rather than magnetic strips. Some credit card issuers are hoping to reach that goal by 2015, at which time they may try to make other weak links in the chain liable for fraudulent purchases. Meanwhile, retailers are involved in an “arms race” with hackers who are usually a step ahead when it comes to next generation technology. Was Target negligent in not having up-to-date systems? I don’t think so. Having followed the chain’s progress in many areas, I cannot imagine that this company is limping along on old legacy systems that cannot protect its own data. Of course, it is no surprise that a class action suit came on the heels of the breach. We can always depend on the legal profession to be there—for better or worse. Then, there are the professional Monday morning quarterbacks like Senators Robert Menendez of New Jersey, Richard Blumenthal of Connecticut and Chuck Schumer of New York who view the situation as another photo op and think that more government oversight—either by the Federal Trade Commission, the Consumer Financial Protection Bureau or some Congressional committee—will solve a technology issue. Funny, I didn’t see them raising holy hell over the Obamacare website. The Secret Service and the U.S. Department of Justice are conducting their own investigation of the Target breach. But in the end retailers are accountable for what happens in their own house. Transactions using credit and debit cards, e-wallets and mobile payment devices of every stripe are simply the norm. Ask yourself how much business will be lost by retailers who only offer people a false sense of security or those that fail to make continual investments that safeguard consumer data. Observers feel a number of steps, some obvious ones, should be taken. Among them: speed up conversion to smartcards; purchase “cyberinsurance,”; beef up identification of real time threats and encrypt or delete personal or restricted data that is no longer needed; formation of a national or even global retail industry data defense task force; and initiate and regularly update breach prevention and response plans. The endgame is not to have data security become an oxymoron. Len Lewis can be reached at firstname.lastname@example.org, or at www.lenlewiscommunications.com.