BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

In Our View: Data Breaches Demand Action

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 6 Feb 2014 19:05:43 -0700
http://www.columbian.com/news/2014/feb/05/data-breaches-demand-action/

In legal circles, the notion of caveat emptor in the United States dates
back to 1817, when Chief Justice John Marshall wrote the majority opinion
in Laidlaw v. Organ. In basic terms, the phrase means "buyer beware," and
it has become particularly relevant for consumers in this country.

That point was driven home Tuesday, when executives from Target and Neiman
Marcus -- store chains that have been targeted by hackers trolling for the
personal and credit card information of shoppers -- testified before
Congress about recent breaches in their security systems. "The unfortunate
reality is that we suffered a breach, and all businesses -- and their
customers -- are facing increasingly sophisticated threats from cyber
criminals," Target chief financial officer John J. Mulligan told lawmakers.
"In fact, recent news reports have indicated that several other companies
have been subjected to similar attacks."

Well, that's not the least bit reassuring. But at least it's honest;
security experts long have warned that there is no end in sight for cyber
attacks upon retailers. In December, at the height of the Christmas
shopping season, Target revealed it had been hit by hackers who lifted 40
million debit and credit card numbers from its customers. Company officials
later said that hackers also grabbed personal information such as names,
home addresses and telephone numbers from up to an additional 70 million
consumers. Weeks later, Neiman Marcus said 1.1 million of its customers had
been affected by a three-month-long data breach, an act that has resulted
in 2,400 cards being used in fraudulent transactions thus far.

Such cyber strikes on U.S. companies are not a coincidence. As the Wall
Street Journal recently reported: "Chip-based credit cards -- in which a
smart chip in the card works with special readers installed at stores -- are
widely used in Europe and Canada, making it more difficult for thieves to
profit from the sort of massive data breach that hit Target over the
holidays. . . . But the technology has yet to be embraced in the U.S., and
as a result, the U.S. has become the preferred target for criminal hackers."

Part of the reason for that is the ethos of the United States. As
caretakers of a society that is leery of any action that can be construed
as an intrusion on personal privacy, Americans are loath to accept things
such as smart chips in their credit cards. But, as Ed Mierzwinski of the
U.S. Public Interest Research Group told members of Congress: "Target was
at fault, Neiman was at fault, but they're not completely at fault. They're
asked to accept cards that are inherently dangerous."

A decade ago, Target was at the forefront of efforts to institute card
chips in this country, but the company abandoned the project. "A review of
the program led the leadership team to agree that there were potential
operational, financial and marketing benefits," Mulligan told the Wall
Street Journal. "However, without broad industry adoption of the technology
to ensure a consistent guest experience, there weren't enough benefits at
that time to continue the test."

Now, it would seem, is a logical time for U.S. retailers to adopt such
technology. The Target breach made clear the shortcomings of the current
system, subjecting consumers to identity theft that can endanger their
personal finances and can be troublesome to clear up. When it occurs on
such a vast scale, it can hamper the economy of the entire nation. For now,
however, consumers are left with nothing more than a two-word warning when
it comes to securing their personal information: Buyer beware.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: