Data Breaches Becoming Common

Here we go again.  This time a Russian cyber gang has stolen 1.2 billion user records from various sites across the world.  The New York Times was able to verify the authenticity of claims made by Hold Security, the company that uncovered the theft. Its becoming really hard to thwart these hackers from overseas.  As I explained in a previous post, its just a matter of time before your site is breached, so we all must hope for the best but plan for the worst.

To put things into perspective, take a look at the chart below.  If have to wonder if retailers stand a chance when even high-tech companies can't protect their own systems.

Infographic: Large-Scale Data Breaches Affect Millions of Users | Statista
You will find more statistics at Statista

When systems are compromised, hackers monetize in three basic ways:

Banking -- This is where ATM theft, wire fraud, and identity theft come into play, and the payoffs are big.  Using "mules" around the world, they coordinate simultaneous attacks to withdraw as much money as possible.  I've had friends have their identity stolen, and its a mess.

Social -- The least sophisticated area is spamming using stolen email, Twitter, and Facebook accounts.  They get paid for referrals like a typical marketing company.

Retail -- There are online stores where criminals can purchase bundles of stolen credit card "dumps," and they can even buy insurance to help guarantee the cards are still active.  Then they buy goods and either return them for cash, sell them on eBay, or ship them overseas to be sold.


Aside: My favorite scam to steal from a retailer doesn't involve cyber crime at all.  A guy in Florida stole over $300,000 in merchandise from Apple using social engineering.  When the clerk swiped his card for a purchase it would be declined.  He then would call the bank, but instead of actually talking to the bank, he would just tell the clerk the bank fixed the problem and the offline authorization code is "873538".  The clerk would override the system as if an authorization by phone had been done (remember the old days before the internet?).  Enjoy your new Mac and have a nice day.  Go to next Apple store.  Repeat.


Target's Christmas data breach costs them $148M, which is only .2% of yearly sales, but it cost the jobs of several executives and continues to create bad publicity.  I imagine it costs banks a bundle to replace all the stolen cards as well.  The numbers just keep getting bigger.

Unfortunately, many of these hackers are protected inside their countries because, frankly, they bring in lots of money.  The US is left to wait for them to slip up and travel outside the country before they can be arrested.  It has the feel of a cyber mafia with plenty of palms being greased.

PCI guidelines help.  New EMV chip cards will help.  More sophisticated firewalls, encryption, and computer forensics should help.  But vigilance is required throughout the system, of which retailers are just one part.

Comments:

Yet Amazon manages to not make the list despite being probably the biggest target... That probably says something as well. Certainly they may fall into the 'only a matter of time' bucket...but even still, they are obviously doing something different than these other ecommerce players.

Posted by guest on August 06, 2014 at 12:32 PM CDT #

True, we don't know of any Amazon breaches, but hard to tell if that's due to security diligence or plain old luck.

Posted by David on August 06, 2014 at 12:42 PM CDT #

One way to tackle the problem of data breaches is to not store the data these thieves are trying to steal. The most attractive data is, of course, credit card information. This makes outsourcing payment processing very attractive. One integral part of this is the tokenization of the transaction/payment details.

Last month, the Food Marketing Institute, Merchant Advisory Group, National Association of Convenience Stores, National Grocers Association, National Restaurant Association, National Retail Federation, and the Retail Industry Leaders Association issued a statement calling for an open and universal tokenization standard. (http://digitaltransactions.net/news/story/Fearing-Payment-Industry-Control_-Merchants-Call-for-an-_Open_-Tokenization-Standard ). Assuming a competent standard, would also improve the security of the solution as well. Retailers need to support a number of different payment types and processors and a common standard decreases the complexity needed for this. As any security professional will tell you, simplicity tends to increase security while complexity tends to decrease security.

Posted by guest on August 06, 2014 at 01:29 PM CDT #

Excellent point. Tokenization and/or P2P encryption would go a long way to solving these issues. The ball is in the banks' court.

Posted by David on August 06, 2014 at 01:37 PM CDT #

Post a Comment:
Comments are closed for this entry.
About


David Dorf, Sr Director Technology Strategy for Oracle Retail, shares news and ideas about the retail industry with a focus on innovation and emerging technologies.


Industry Connect


Stay Connected
Blogroll

Search

Archives
« March 2015
SunMonTueWedThuFriSat
1
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today