America loves a good heist. It could be a simple bank robbery, a jewelry theft, or a mob hit on an airport terminal. Whatever the case, we simply cannot get enough of true crime. It should come as no surprise then that the wires are burning up over the alleged compromise of over 40 million payment cards through Target (TGT) stores across the United States. This story is just beginning to be told, but I thought it might be helpful to share some thoughts on what it could all mean.
Theft of Electronic Information from Retailers is Nothing New
From the way some of the stories are portraying what happened at Target, you might think that this was the first time a large chain retailer was hit by payment card theft. Well, you’d be wrong. Retailers are compromised on a regular basis, despite pretty stringent efforts on their part to secure their transactions. Normally, the thefts are relatively small, but on occasion they are in fact massive. Back in 2007 retail company TJX (TJX), owner of TJ Maxx and Marshalls, disclosed that nearly 46 million payment card records were stolen from its systems.
More recently, the grocery chain Schucks suffered the loss of more than 2 million payment cards. Even high-end retailer Nordstrom (JWN) has been hit, as it discovered this fall that small devices were planted in its stores that allowed payment card information to be stolen directly from the registers themselves.
What does all this mean? Basically, this is certainly the not the most pleasant event in the history of Target, but at the same time, it isn’t the first time this kind of theft has hit a major retailer. It won’t be the last time either.
There Is a Stolen Credit Card Reseller Market That Thrives On These Kinds of Crimes
As I wrote before, the criminals of the world have figured out how to monetize cybercrime and cyberattacks. Previously, I focused on how easy it is to obtain cyber weapons. What I did not mention from that same McAfee report is how there is a virtual menu (pun intended) for stolen payment card information. Criminals offer up stolen payment cards for relatively paltry sums, in some cases as little as $15. Prices go up to at least $200, based on the level of security associated with the card and the information available (balance, PIN code, etc.). The point is that the criminals did not undertake this attack so that they could have 40 million credit cards at their disposal. Rather, they did this to resell the information (no word yet if there is a coupon for buying multiple cards). Worse yet, the incentives are all on the side of the criminals. An attack like this does not cost much to carry out, and in all likelihood they will make millions of dollars as a result.
This Is Going To Be Far More Painful for Target Than It Will Be For You
Having a credit card stolen is never fun. It is even worse when you realize your card may have been compromised. You have to comb through your statements to find possibly fraudulent charges, talk to your credit card company, and possibly get a new card. That is its own hassle, as you have to wait for the new card to arrive and then change your saved credit card information for iTunes, E-Z-Pass, the cable bill, etc.
Whew, that’s annoying. But what’s missing from that arduous task list? Oh yes, being held personally responsible for the fraudulent charges. You simply tell your card vendor or bank which transactions were not yours, and basically, end of story. So the cost to you, the consumer, is basically invisible.
For Target, it is a far different story. Let’s just say the C-suite and their lawyers are going to be very busy in the coming months. Target is going to have to deal with multiple lawsuits (alleging poor security among other things), possible reputational harm, paying for customer credit monitoring services, arguing with insurers over whether any policies provide reimbursement, and additional cybersecurity and cyber forensic services. The most painful part of this for Target will likely be dealing with state regulators. Every state has an Attorney General, and many of them are rabid when it comes to consumer protection. No doubt Target is going to be the subject multiple investigations, and that will be unpleasant to say the least.
So what’s the total cost to Target? No one can truly tell, but as a reference point, TJX wound up spending at least $250 million as a result of its data breach. Whatever the number is, it will be far more than Target wanted to spend.
As Bad As It Was, It Could Have Been Much Worse
The cyberattack on Target was pretty nasty, not only in terms of its size, but also its timing. Some reports have indicated that the criminals behind the hack were aided by launching their effort during the holiday season shopping rush. That may have been one of the reasons why the attack was able to be carried out for nearly three weeks without detection.
Three weeks. That may or may not be a long time. Cybersecurity experts, lawyers, and government officials will argue about that for some time to come. But what is quite obvious is that it was not nearly as long as some previous attacks. The TJX payment card breach lasted for more than a year before it was detected. Heck, even some government agencies have been breached for months without noticing. So, as bad as it was, it could have been far worse. This assumes, by the way, that the attack is over. Don’t forget sometimes these attacks leave behind malware that sits for months before activating. Target is sure hoping that is not the case here.
Consumers have to be careful here, too. It may be months before fraudulent activity shows up on a card. Consumers also have to worry about the unsavory types who like to prey on victims. There are endless examples of cybercrimes that are perpetrated by people who pose as a bank, credit monitoring service, or even the store that lost your information. So it’s the same advice as always: be careful who you give your personal information to, and be mindful of bogus emails or websites.
Hopefully, however, this attack only struck Target. If I were counsel to other major retailers, I would be hauling in the chief information security officer to let her/him know that the networks better be pretty carefully monitored. I also would be taking a close look at the company’s overall defenses and make sure they were regularly refreshed.
As a final note, this single event should not shake the faith of Target customers. It can happen to any store, and so we have to move on with life. Indeed, I can tell you this: after learning of the breach, my first stop on the way home was … Target. We needed some household items, and I did not hesitate for a second to shop there.
Neither did many others apparently, as the store was packed that night. Onward marches the market.
Brian E. Finch (@brianefinch) is a partner at Pillsbury Winthrop Shaw Pittman LLP, where he focuses on cyber security issues. He can be reached at email@example.com.