Data Security

There seems to be an announcement almost weekly that a retailer has been the victim of a cyberattack in which consumer information has been stolen. Has this become the next wave of 21st century white-collar crime as the world of electronic credit and payments opens up companies to more and more thefts of financial information? As hackers’ level of sophistication increases, companies have a harder time even detecting whether computer systems have been attacked and the extent of any security breach.

Michaels, the biggest U.S. arts and crafts retailer, said it's investigating a possible breach on its network and advised customers to check financial statements for fraudulent activity. The warning, which comes in the wake of the unprecedented breach at Target Corp. over the holiday shopping season, suggests that hackers may be attacking retailers in a spree the extent of which is yet to be fully understood. Target last month disclosed an unprecedented breach that resulted in the theft of some 40 million payment card records and another 70 million customers’ records. 

Neiman Marcus said about 1.1 million credit cards may have been compromised in a data breach that occurred last year. Visa, MasterCard and Discover have notified the Dallas-based department store chain that about 2,400 cards used at its stores between July 16 and Oct. 30 were used fraudulently, according to a statement yesterday. Online shoppers weren't affected, the company said. Closely held Neiman Marcus is the second U.S. retailer to announce a customer data security breach. Minneapolis-based Target Corp. has said as many as 110 million customer accounts were compromised during the holiday shopping season by the theft of information. 

Target's data breach may speed up the adoption of more secure credit card technology in this country. Chip-based "smart cards," already used in Europe, are difficult to counterfeit because the account information is encrypted and stored in an embedded microchip. Most point-of-sale transactions with these smart cards cannot be authorized without a PIN code. That's why it's called "PIN and chip" technology. Matthew Shay, president and CEO of the National Retail Federation, has sent a letter to congressional leaders calling on the banking industry to switch from the easy-to-hack magnetic strip to the more secure PIN and chip. 

Target CEO Gregg Steinhafel is calling on retailers and banks to adopt chip-based credit card technology to better protect shoppers. But the debate was different a decade ago, when the executive was on the other side of the issue as Target pulled the plug on a $40 million, three-year program that did just that. Chip-based credit cards, in which a smart chip in the card works with special readers installed at stores, are widely used in Europe and Canada, making it more difficult for thieves to profit from the sort of massive data breach that hit Target over the holidays. 

Target's data breach, which has left tens of millions of payment cards compromised, was carried out using off-the-shelf malware authored by a 17-year-old Russian, according to security firm IntelCrawler. Officials believe that the Target breach was just one of several attacks carried out over the holiday period. Neiman Marcus Group says that it has also been hacked, and a report authored by government agencies and security firm iSight Partners suggests that several other firms could have been hit.

The computer network at Neiman Marcus was penetrated by hackers as far back as July, and the breach wasn't fully contained until Sunday, according to people briefed on the investigation. The company disclosed the data theft late last week, saying it first learned in mid-December of suspicious activity that involved credit cards used at its stores. It issued another notice on Thursday, elaborating slightly. The latest notice said that "some of our customers’ payment cards were used fraudulently after making purchases at our stores. We've taken steps to notify those affected customers for whom we have contact information."

Target said Monday it will invest $5 million in a multiyear campaign to educate the public on the dangers of scams, after the company disclosed that up to 110 million people may have been affected by a data breach at the retailer's U.S. stores. The company, under pressure from various quarters including some state attorneys general, has also unveiled the details of a free credit monitoring and identity theft protection for one year for all Target customers who have shopped in its U.S. stores.

The massive security breach that hit Target over the holidays may be only the beginning for the retail industry. Attempts to hack into retailers’ computer networks and steal credit card data and other customer information are likely to surge this year, cyber security experts say in the wake of the attacks on Target and luxury department store chain Neiman Marcus. Target reported Friday that cyber thieves compromised the credit card data and personal information of as many as 110 million customers. That includes phone numbers, email and home addresses, credit and debit card numbers, PINs, expiration dates.

Target and Neiman Marcus are not the only U.S. retailers whose networks were breached over the holiday shopping season, according to sources familiar with attacks on other merchants that have yet to be publicly disclosed. There were smaller breaches on at least three other well-known U.S. retailers using similar techniques as the one on Target, according to the people familiar with the attacks. These breaches have yet to come to light. Also, similar breaches may have occurred earlier last year.