There
has been extensive adverse publicity surrounding what has become the largest
data breach in the retail industry, affecting Target and two other U.S.
retailers. In November-December 2013, cyber
thieves executed a well-planned intrusion into Target’s computer network
and the point-of-sale terminals at its 1,800 stores around the holiday season
and successfully obtained not only 40 million customers’ credit and debit card
information, but also non-card customer personal data for as many as 70 million
customers. In addition, 1.1 million payment cards from Neiman Marcus and 3
million cards used at Michaels were reportedly exposed.
The
respected Ponemon Institute
announced this June it believes that hackers have exposed the personal
information of 110 million Americans—roughly half of the nation’s adults—in the
last 12 months alone, and this number reflects the impact of major retailer
breaches and others in different governmental or business sectors, but does not
include hacks revealed in July-August 2014.
As we
speak, there are news reports about the discovery of large quantities of
personal information (including user names and passwords) mined from many
websites by a Russian-based hacker group and new malware threats focused at
retailers. According to a report released by the U.S. Department of Homeland
Security, technology that is widely used to allow employees to work from home
or permit IT and administrative personnel to remotely maintain systems is being
exploited by hackers to deploy point-of-sale (PoS) malware that is designed to
steal credit card data. This threat is being called “Backoff Malware”.
Homeland
Security estimates it has been around since October 2013 with a very low
antivirus detection rate at the time it was discovered, meaning that even
systems with fully updated and patched antivirus software would not be able to
identify Backoff as malicious malware.
Snapshot of Target
Target
announced at the end of February 2014 that the company’s profit fell by 40% in
the fourth quarter of 2013. The company reported $61 million pretax expenses
related to the breach, but expected $44 million in cyber insurance payments
against this figure. These expenses were incurred for legal costs, breach
notification, forensics, and PR/crisis management to date. However, the worst
financial costs are yet to come. A senior Gartner analyst estimated that the
total exposure to Target could be $450–$500M, which considers lawsuits,
regulatory investigations, breach response, fines and assessments, loss of
revenue and security upgrades.
Both
the cyber insurance and directors & officers insurance programs at Target
are involved, since Target announced significant revenue/profit shortfalls
caused by brand damage/customer fallout and costs to improve IT security. At
least two derivative shareholder actions have been filed, which have triggered
Target’s D&O insurance.
More
than 100 lawsuits are pending against Target at this time, with many consumer
class actions and some actions filed by individual financial institutions,
claiming for costs of cancelling and reissuing compromised cards, absorbing
fraudulent charges made on the cards, and the loss of anticipated fee income
from the holiday season. There has been activity to consolidate these lawsuits
into three groups of plaintiffs to facilitate the legal process.
Allegations
surround Target giving network access to a third-party vendor, a small HVAC
company with weak security, which allowed the attackers to gain a foothold on
Target’s network. From that point of entry, the attackers allegedly moved to
the most sensitive areas of Target’s network storing customer information.
Malware installed at POS terminals utilized so-called “RAM scraping,” and the
attack apparently proceeded despite apparent warning signals.
Target
staff had urged the company to review the security of its payment system months
prior to the breach, according to American Banker and Wall Street Journal
reports. Some financial institution plaintiffs are alleging that as early as
2007, Target was warned by a data security expert about the possibility of a
data breach in its point-of-sale system. Banks claim that a layered security
system would have made the hackers’ task more challenging—Brian Krebs, a noted
security analyst, describes a “POS kill chain” for more effective layered
security posture.