Target Data-Breach Fallout
Midsized c-store chains: valued marks for data thieves
Published in CSP Daily News
“We have seen iTouch devices used in stores to connect into networks,” Swamy said, with some of those instances involving store employees. “Are there answers? Yes. But it does require a degree of thinking and investment to protect consumers and the retailers themselves.”
Fallout from a breach will likely hit a chain on many fronts, Swamy said. Not only will that chain be liable for a degree of the fraudulent purchases, but damage in terms of customer confidence and the time and resources necessary to field inquiries from a concerned public can be an unexpected drain. Swamy said by his firm’s account, it takes four years for customer confidence to return to normal.
Then there are at least 44 states where the loss of personal data becomes a government issue, resulting in class-action lawsuits from state officials.
In the case of Target, Gregg Steinhafel, its chairman, president and CEO, published a letter to customers acknowledging the breach and assuring them that the chain was taking the crime seriously.
“We understand that a situation like this creates stress and anxiety about the safety of your payment-card data at Target,” he said in a letter posted on Target’s website. “Our brand has been built on a 50-year foundation of trust with our guests, and we want to assure you that the cause of this issue has been addressed and you can shop with confidence at Target.”
That letter spoke to its customers directly and revealed key facts:
- The unauthorized access took place in U.S. Target stores between Nov. 27 and Dec. 15, 2013. Canadian stores and target.com were not affected.
- Even if you shopped at Target during this timeframe, it doesn’t mean you are a victim of fraud. In fact, in other similar situations, there are typically low levels of actual fraud.
- There is no indication that PIN numbers have been compromised on affected bank-issued PIN debit cards or Target debit cards. Someone cannot visit an ATM with a fraudulent debit card and withdraw cash. [Editor’s Note: Target subsequently acknowledged that encrypted PIN information was part of the data stolen in the breach.]
- You will not be responsible for fraudulent charges—either your bank or Target have that responsibility.
- We’re working as fast as we can to get you the information you need. Our guests are always the first priority.
- For extra assurance, we will offer free credit monitoring services for everyone impacted. We’ll be in touch with you soon on how and where to access the service.
Framingham, Mass.-based TJX Companies, which runs discount retail chains T.J. Maxx and Marshalls, suffered the worst instance of retail hacking back in 2005 and lingering into 2006, when data thieves accessed at least 94 million accounts containing credit-card, debit-card and check information.
The c-store industry had a confirmed breach this past spring with Brentwood, Tenn.-based MAPCO. “Our first concern is our customers,” said Tony Miller, vice president of operations of MAPCO. At the time, Miller issued a statement saying: “We regret any inconvenience this criminal act by hackers may have caused and are enhancing our information security efforts to combat future information security threats. Through our internal investigation and collaboration with forensics security firms, we have disabled the malware that was used in this incident while establishing additional safeguards designed to prevent this from happening in the future.”
The MAPCO incident involved credit-card and debit-card payments for transactions at MAPCO locations between March 19-25, April 14-15 and April 20-21, 2013.
Upon discovering the issue, MAPCO said it took immediate steps to investigate the incident and further strengthened the security of its payment-card processing systems to block future information security attacks.