A year after Target data breach, aftershocks finally end

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.twincities.com/shopping/ci_27004429/year-after-target-data-breach-aftershocks-finally-end.html

One year later, the Target data breach has been a costly crime for everyone
involved -- everyone but consumers.

The theft of 40 million credit and debit card numbers came as a shock to
Target shoppers, but analysts say that in the end, almost no consumer
suffered a financial loss.

"It was pretty scary," said Avivah Litan, a financial fraud specialist at
Gartner. "When the public heard that Target got breached, they didn't
realize they weren't going to lose money. ... After a few months, consumers
realized they were protected. So they got more relaxed about it."

But it left other scars. Thursday marks the one-year anniversary of the
start of the breach.

It stunned Minneapolis-based Target Corp., which was left reeling for
months afterward. Its CEO was fired; its shoppers were slow to return; and
its data-breach costs have climbed to a quarter-billion dollars.

It also jolted the entire retail sector, as Target turned out to be the
first in a series of data thefts, whose victims included Neiman Marcus,
Home Depot, Michael's, Goodwill, Dairy Queen, Supervalu, Staples and Jimmy
John's.

It was a wake-up call to the credit card, banking and payment networks, to
stop stalling on adopting safer but more expensive card technologies.

For them, Litan said, "I think the Target breach was monumental. The main
thing that has changed is, both the banks and the retailers are really
tightening up security."

It also spawned more than 140 lawsuits against Target, which were
consolidated before a U.

S. District Court in St. Paul and are now grinding their way through the
legal system. A trial is scheduled for 2016.

And shoppers? At first, they worried. Countless cards were reissued. But a
year later, the numbers suggest that consumers have moved on -- and are
still using their credit cards.

Target declined to comment for this story.

CONSUMER SKEPTICISM

"Shoppers are not worried about a data breach right now," said Lorman
Lundsten, a professor in marketing at the University of St. Thomas in St.
Paul.

"What seems to have happened is, people heard about the breach, and they
probably heard about the measures taken to neutralize the breach. And
basically, nobody knows anybody who's been hurt by it."

But that doesn't mean consumers are happy when their credit card numbers
are stolen, then sold online to criminals around the world.

Compared with a year ago, "There's more consumer skepticism that their data
is safe," said Jim McComb, a Twin Cities retail consultant. "And they're
less shocked when it happens. Target had a tremendous fallout from its
breach. I haven't heard a similar fallout from Home Depot."

Meantime, the next generation of chip-and-PIN credit cards is starting to
appear, including at Target. The cards are harder for thieves to use
because they carry an embedded computer chip and require a personal
identification number, or PIN.

But the infrastructure isn't yet in place for chip-and-PIN cards to work
this holiday season. So shoppers are still using what the National Retail
Federation has described as "fraud-prone magnetic stripe cards."

McComb said he has long believed that "the industry had sort of taken the
posture that it was cheaper to pay for the fraud than pay for the new
equipment.

"I think that's changed," he said. "It has been incredibly expensive for
Target; it's been expensive for the banks to reissue the cards."

McComb saw the new era recently, when his own credit card was touched by
the Home Depot breach.

"I got a card reissued that has a chip in it," he said. "I've not been to a
store yet that has the ability to read it, but they're stepping up to that."

'DISTANT MEMORY'

The Target hack began a year ago, when cyberthieves -- said to be from
Russia, but that's still not clear -- used stolen credentials to access
Target's computer network. The thieves installed malware that captured card
numbers used inside Target stores, then transmited the stolen data overseas.

For 19 shopping days, data on shoppers' names, card numbers, expiration
dates and some security codes, including encrypted PIN codes, was stolen
from 40 million Target shoppers.

The week before Christmas, tech journalist and blogger Brian Krebs broke
news of the breach. The next day, Dec. 19, Target confirmed the bad news.
Its call centers were overwhelmed by worried shoppers, which Target
promised would not be liable for fraudulent charges.

Just as alarming came the news that millions of stolen card numbers were
available for sale at online "card shops." It made consumers feel so
vulnerable, it was common a year ago to hear shoppers swear off plastic
forever.

But in the year since, there's not a lot of evidence that consumers have
done so. The credit card companies are doing just fine. And a recent
University of St. Thomas holiday study found no signs of an exodus from
plastic.

Lundsten, the St. Thomas marketing professor, isn't surprised.

"It doesn't happen because it's more convenient to use the credit card," he
said.

On the other hand, Carol Spieckerman, a retail consultant at
NewMarketBuilders, said the breaches are helping next-generation payment
systems, such as Apple Pay, gain traction.

"I think retailers are very much in a defensive mode in terms of these data
breaches and (hoping) that the next one doesn't have their brand all over
it, as it did with Target," she said.

Nowadays, Spieckerman calls the Target breach "a distant memory" to the
nation's consumers.

"Thanks to social media, the news hits really hard and it goes really
broad, but then it goes away really fast and something takes it place," she
said. "The worst has already happened to Target."

LOST SWAGGER

For Target, it took nearly the full year, but last week the discount giant
finally seemed to emerge beyond the long shadow of the data breach.

For the first time all year, it reported its stores had sales gains. Its
stock price finally stayed above where it stood Dec. 18. And it said any
other breach costs were "immaterial" to its financial health.

A new chief executive, Brian Cornell, heads the company. And in the past
year, the company has redoubled its focus on a world of cyberthreats.

"They went out and really beefed up their leadership in security, in IT,
and I think that was also going to benefit their online division," McComb
said.

But McComb said some of Target's old swagger vanished alongside the 40
million credit card numbers, coupled with its struggles in Canada. It's
been a long and unsettled year at its Minneapolis headquarters.

Until last year, McComb said, "I think Target viewed themselves as being
kind of invincible in a lot of ways."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!