As the Target data breach seems to grow more damaging by the day, there’s a lot of talk about what the repercussions will be – for Target as well as its customers.
The good news is that customers in the USA are indemnified from financial loss due to credit card breaches, but you should still keep an eye out for unusual transactions. If you spot any unauthorized charges, contact your credit card issuer immediately to review the transactions and potentially obtain a new card.
As to the effect on Target itself, history suggests that there will likely be no material effect on the company or its stock value. Target will probably issue the obligatory mea culpa and go back to spending the absolute minimum on IT security, while publicly stating their commitment to protecting their customers.
IT Security as a Cost Center Rather Than a Critical Infrastructure Investment
The common practice in the retail industry is to outsource as much IT and security operations as possible to the lowest cost vendor(s). And in security, as with everything else, you get what you pay for.
Low cost / low price retailers have a real challenge when it comes selling their goods at slim margins, while also running information technology shops on tiny budgets. Unfortunately, being a low-cost retailer sometimes means running an IT operation with inadequate security. Higher margins at upscale stores is no guarantee of security either, but at least these retailers have no excuse when it comes to their IT budgets.
What’s Next for Target?
Target will most likely face a rash of lawsuits brought on by the Attorneys General in just about every US state where the store operates. The credit card issuers will also slam Target with fines that will, in all likelihood, have no long-term consequences for the retailer.
You can also expect the usual gaggle of attorneys filing class action lawsuits to shake down Target on behalf of downtrodden clients. And in the end the attorneys always seem to benefit mightily by huge sums that retailers pay to make them “go away” – while consumers will get crumbs, if that.
There will also be the usual hand wringing about why the USA still does not have EMV credit cards (with chip and PIN/signatures) similar to those already used in other parts of the world, a topic we’ve covered in this blog before.
And one more important point to consider – just because this massive data breach has already occurred, doesn’t mean that Target customers are in the clear. The potential for follow up attacks is very real.
The process generally works like this:
- Target customer is issued a new card (debit or credit)
- Criminals who compromised Target contact this customer, apologize for the problem and ask them to enter their new credit card/debit card information including PIN
- Since the criminals already have detailed personal information they’ve stolen from the Target database, they can appear legitimate in their follow up
- The fact that the criminals can share parts of the old compromised credit card in their phishing attack means a high success rate on the follow-on attack
- The scam can be repeated multiple times on the same set of Target victims because both personal contact information and credit/debit card data has been compromised
The key is that in debit and credit card scams, the phishing attack will gather name, card number, expiration date, CVV (3/4 digit code), PIN number, and address information (AVS).
Always be vigilant against phishing attacks – especially if you suspect that your information has been compromised by the Target breach, or any other.
What are your thoughts on what can be done to better secure the retail industry? Leave a comment below.
You can also follow us on Twitter.