Tuesday, January 7, 2014
As Target Brands Inc. is finding out – following the high-profile data breach that occurred at its stores over the 2013 holiday shopping season − breaches are embarrassing and expensive. Several class-action lawsuits have been filed against Target to date. On Jan. 7, 2013, a class action was filed in the U.S. District Court for the District of Oregon at Portland. Among the suit's claims is that security investigator Brian Krebs reported on the 40 million bankcard compromise before Target notified its customers of the breach.
It is only the beginning of what will be a long, costly process for Target to ensure that another breach doesn't happen and to reassure a jittery public to resume shopping at the discount retailer. Beyond the legal costs, a forensic investigation must be performed to pinpoint the source of the breach, and steps must be taken to shore up security vulnerabilities.
Ross Federgreen, founder of data security firm CSR, pointed to data breach reporting as another process that can cost compromised retailers a minimum of $10,000. By law, businesses must submit breach notifications to federal, state, local and sometimes international agencies. Following a breach, one of CSR's clients had to submit 60 reports. "That's highly atypical," Federgreen said. "But normally three to five reports for a single incident is pretty normal behavior."
According to Federgreen, larger businesses are diligent in reporting breaches. But that is not apparently the case with smaller companies. "The vast majority of small and middle-sized companies: one, may not even know that breaches have taken place; and two, many times they sweep them under the carpet," he said.
The consequences of not reporting breaches can be drastic. "Failure to report is a big deal item," Federgreen noted, with "very serious dollars" assessed in penalties. Additional damages include class-action lawsuits, federal oversight that can stretch on for years, civil and possibly criminal prosecution, not to mention reputational damage and loss of future sales, he said.
On Jan. 7, 2013, CSR reported that the U.S. Patent & Trademark Office issued CSR a patent for the CSR Breach Reporting Toolkit. Federgreen said the toolkit is an automated service that manages and expedites the reporting process for small and midsize businesses.
"All of these entities that have, or suspect breaches, have significant reporting requirements in a very short time window," Federgreen said. "And it's literally impossible for small and middle, and frankly for large companies, to do it without the aid of large battalions of folks."
While large companies can afford to have breach response teams, smaller businesses don't have that luxury. "The vast majority of companies simply cannot, and they are subject to breaches, if not more of them," Federgreen said.
Federgreen noted that the extension of breach reporting requirements into the realm of suspected breaches only adds to the complexity. "The word suspected is very dangerous," he said. "Because nobody, including the courts, has a uniform definition of what that threshold of suspect really means."
It may come as a surprise to learn that breaches involving the compromise of debit and credit cards are not the most common. Federgreen said only 4 to 7 percent of breaches are bankcard related, while over 90 percent of hacks target other types of personally identifiable information, such as Social Security and driver's license numbers, dates of birth and health records.
In fact, medical fraud is the most prevalent form, according to Federgreen, with fraudsters stealing Medicare numbers and collateral data that result in the theft of billions of dollars annually. Compared with the electronic payment processing infrastructure, medical information networks are not as secure, he said.
One weak point in electronic payments is in the area of automated clearing house (ACH) transactions, such as check payments. Federgreen said banks' ACH networks are secure if not infallible. But the real danger lies in the security vulnerabilities of ACH payment originators.
A consumer may set up a recurring monthly payment at a check cashing business, for instance. The check casher puts the consumer's bank routing and account number on file before submitting the debit request to the bank, Federgreen noted. "They do not need to submit that stuff before the event to the financial institution," he said. "They just need to have that permission if there is a challenge or a question with the [transaction]."
According to Federgreen, that ACH transaction and routing information is often not stored by the originator in a secure database, making it easy to hack, which gives fraudsters ready access to bank accounts.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.