Target Data-Breach Fallout
Published in CSP Daily News
Midsized c-store chains: valued marks for data thieves
ELLISVILLE, Mo. -- Industry ramifications from the second-largest data breach in retail history with department-store giant Target Corp. in recent weeks may play out in the form of a letter from credit-card companies demanding retailers show efforts toward compliance to certain data-security standards, said one consultant focused on risk assessment.
More specifically, midsized operators with anywhere from 50 to 200 stores present what card companies believe to be one of the highest risk opportunities for future breaches, according to Shekar Swamy, president and senior security strategist for Omega ATC, Ellisville, Mo.
“Acquiring banks are taking a more proactive stance and are increasing the level of security in midsized retail operations,” Swamy told CSP Daily News in an exclusive interview, noting how convenience stores are complex retail environments with many points of potential breach, including registers, dispensers and automated teller machines (ATMs). Though single-store operators may have less resources and are vulnerable to skimming-type breaches, the payoff for hackers is smaller. “[Banks] see that so much needs to be done by midsized operators.”
Many midsized chains falsely believe that password-protected systems are sufficient, and that beyond that safety net, oil companies or larger third parties will ultimately come to their rescue. Both scenarios are misguided, Swamy said.
Swamy characterized the breach that occurred at Target this past Thanksgiving through mid-December—eventually involving 40 million cardholder accounts—was sophisticated and executed with “patience.” As a result, the payoff needs to be high. That’s why major retailers, as well as midsize chains, must consider themselves valued marks for data thieves.
In the Minneapolis-based Target case, the breach involved malware that hackers were able to place into the company’s point-of-sale (POS) system. The cardholder data, as well as encrypted debit-card personal identification numbers (PINs), were taken undetected during that two-week period. Swamy said networks at most chains are centrally connected, providing the opportunity for an opening, with “remote access” being the most-used method by hackers. Often the malware can sneak data out in small batches over time or can collect the data to be removed in a single extraction.
Going forward, Swamy said, movement toward chip-based plastic and even mobile payments are going to present retailers with additional security issues and ultimately cost. With the chip-based technology, or Europay MasterCard Visa (EMV), he said, retailers are balking against credit-card company mandates, especially having to spend millions industrywide to comply with standards just a couple of years ago. That said, he added that overall, payments at c-stores will evolve and the data security question will not go away.
For instance, with mobile payment, Swamy said the security question runs both ways—with concerns on both the consumer and retailer sides. He said customers want to know that only the required information is pulled from their mobile devices during transactions, while on the other hand, retailers need to be confident that those same devices aren’t siphoning data from store systems.