Consumers Target-ed: the US retail data-mining scandal
Hackers managed to steal data about millions of customers from retail giant Target at the tail end of last year, and the effects are still being felt. Are Americans about to get serious about personal financial security?
For a nation obsessed with national security and, well, security in general, Americans have retained almost a laissez-faire attitude toward personal financial security. No longer. An extraordinary, brazen theft of consumer data from three large national retailers is gradually being absorbed around the country.
The heist has directly impacted between 70 million and 110 million shoppers — or a third of all Americans — and will have long-term adverse effects on the retail colossus that is Target. It will cost the group tens of millions of dollars and significant customer goodwill.
Clusters of Target customers watched in horror as their bank accounts were emptied or the credit cards maxed out the week of Christmas. Although most were reimbursed, many were stranded without funds over the holidays. Equally alarming was the theft of consumer data at the high-end department store chain Neiman Marcus, which also owns that world-famous Manhattan emporium to elitism, Bergdorf Goodman.
Several other companies have now come forward and admitted breaches. A Miami outlet of another high-end department store, Nordstrom, was one, as well as the 1000-store craft retailer Michaels and online sports store Easton-Bell. According to the Ponemon Institute, 19 different US retailers were hit by identity thieves last year.
Most worryingly for customers, the data appears to have been broken up state by state by several criminal organisations. The Department of Homeland Security, which is investigating along with the Secret Service and the Senate Judiciary Committee, says, for example, it has discovered customer data for Texas residents available for sale near the Mexican border.
And in another bizarre twist, last week security agencies revealed the malware hack could be linked to a 23-year-old Russian hacker, who was found to be selling copies of the virus at $2000 a pop online.
With its 1800 super-sized outlets, the Minnesota-based retailer Target is the second-largest big-box store in the US, behind Walmart. And it has handled the breach poorly.
The trouble began on Thanksgiving week, the busiest shopping week of the year in the US. From November 27 to December 15, malicious software, believed to be from Russian and Eastern European criminal groups, stole the account information of each credit and debit card that was scanned at Target cash registers. This was done as the data moved unencrypted through the retailer’s networks. The software scrapes the unencrypted data, which includes credit card numbers, PINs, phone numbers, mailing addresses, Social Security numbers (the American equivalent of tax file numbers) and personal email addresses, and feeds it back to criminal computer servers.
According to The New York Times, several European hackers had been kicking the tyres of most American retail networks, looking for unlocked entry into their customer data networks. With Target, they found a wide path of entry. In fact, Target’s systems were “astonishingly open” and missing the virtual walls and motion detectors found in secure networks, the paper said. Hackers quickly entered the company’s computer servers containing Target’s customer data, scoring credit and debit card numbers and PIN information.
“News of the breach reduced traffic at Target stores during what was already going to be a difficult holiday period.”
Target initially sat on news of the information, as it discovered the breaches just days before Christmas. It was only the enquiries of security blogger Brian Krebs that forced Target to disclose the malaise. Target offered customers a 10%discount on all products the weekend before Christmas. It did not stem declining sales figures.
News of the breach reduced traffic at Target stores during what was already going to be a difficult holiday period. Target CEO Gregg Steinhafel was mostly absent from the public throughout and was criticised discreetly by company directors, who described him as “publicity shy”.
Even before the data violation, Target was not having a great year. Buffeted like many American chains by the defection of once loyal customers to the web, it also embarked on what has proved to be a costly expansion into Canada, marked by heavy financial losses. Last week, the retailer announced staff cuts across the company.
For Neiman Marcus, known for its premium clientele, personal shopping assistants and overall discretion, the breach is wildly embarrassing. It too fumbled its announcement, having received information of the problem in mid-December but declining to make any public announcement until January 10. It was Brian Krebs again whose report forced the company to move.
Even then, it was not until last week the chain revealed the full damage. In a statement on its website, Neiman Marcus said malware had been clandestinely put into its system and had stolen payment data off cards used from July 16th to October 30th.
Credit card fraud has risen 70% in the US since 2010. According to Nilson, although the US accounts for 27% of all credit card charges worldwide, a whopping 47% of credit card fraud takes place here.
The Target and Neiman Marcus scandals have increased calls to adopt the use of smart chips now common in Europe and Australia. Target, interestingly, attempted to introduce high-security smart-chip cards at its terminals a decade ago, but pulled out after worries around costs and slower checkout times.
Retailers say the investment in infrastructure required to adopt the technology will not cover the cost of the fraud begin committed. According to one estimate, credit card fraud costs about five cents per $100 spent on cards in the US. However, credit card companies here have told retailers they need to have the card readers in place by the end of 2015. If they don’t, they will be liable for data stolen and fraudulent charges made.
In the current environment, it’s not just credit card and retailers at risk, with Coca-Cola another high-profile victim. The soft-drink giant revealed last week a former worker had stolen personal data involving 74,000 employees, contractors and vendors.
Tellingly, stock prices have already started rising on companies such as VeriFone, which manufactures advanced payment hardware. VeriFone’s stock is up 27% in the last month. It could also be a boon for security and credit-monitoring groups.