High-Profile Retailer Data Breaches Prompt Security Discussion, Say Providers


Retailers are reviewing their security postures following the massive Target Corp. data breach, according to security experts who say the high-profile incident has helped raise the security awareness in a market that is traditionally slow to adopt and deploy new technologies.

In a Monday interview on CNBC, Target CEO Greg Steinhafel acknowledged malware had been installed on the retailer's point-of-sale systems and said the company would make significant changes. He stopped short of indicating what security improvements would be made, if any, citing the ongoing law enforcement investigation into what happened.

Hackers stole the personal information of at least 70 million customers at Target stores during the busy holiday shopping season. The breach included names, mailing addresses, telephone numbers and email addresses. Target initially reported the scope of the breach as being limited to 40 million credit and debit card numbers, but it recently acknowledged the additional customer data.

[Related: Massive Target Breach Puts Spotlight On PCI Complexity]

Once the details about the cause of the Target breach are better known, service providers can better address the weaknesses that prompted the breach with their own clients, said John Garner, president of iMedia Technology. Garner said that most small and midsize businesses take an "it won't happen to me" approach to data breaches.

"We'll see more concern when there is a greater impact to the small business community," Garner said. "Our role is to educate them and make them realize they are just as vulnerable and susceptible to the same risks as the big guys."

At least four other retailers may have had a data breach, according to Reuters, which cited anonymous sources who declined to name the businesses. The news comes during the National Retail Federation's annual industry conference in New York City.

Reuters reported that malware discovered on Target's systems was designed to scrape the memory at the store's point-of-sale systems before the data was encrypted and sent to the credit card processor.

Another retailer, Neiman Marcus, disclosed on Friday that it was warned about a possible breach in mid-December and that an outside forensics firm confirmed a breach on Jan. 1, saying it found evidence that some payment card data may have been compromised.

Smaller merchants typically outsource credit card processes with security conscious payment processor, said Dan Tervo, president of Tervo Systems, a Clermont, Fla.-based consultancy that specializes in VoIP, cloud backup, and security. Ultimately the merchant is responsible for protecting the customer's data and needs to take stock of the systems and processes they have in place, Tervo said.

"These breaches increase awareness across the board," Tervo said. "Business executives want to know that their customers can trust what they do with their customer's information."

Version 3.0 of the Payment Card Industry Data Security Standards (PCI-DSS), released in November, is the credit card brands' response to containing credit card breaches. While merchants that have a high volume of transactions must have an onsite assessment, many smaller firms must pledge to adhere to the document's 12 requirements.

The latest version of PCI DSS requires service providers to have separate authentication credentials for remote access to clients, following breaches that stemmed from he use of stolen or default remote access credentials. The document also places point-of-sale systems into the scope of an assessment. Cybercriminals and local thieves can find ways to tamper with the credit card reader or figure out a way to steal the swiped data before it is encrypted and transmitted to the payment provider, Tervo said.

Most businesses are committed to protecting their customer's data, but they struggle with balancing an investment in the right technology with the right policies and processes, said Rob Delevan, information technology consultant at Wasatch I.T. It's about making it difficult for cybercriminals to carry out an attack and having the forthright to plan an effective response when a breach takes place.

"More people understand and accept the risks associated with using their credit cards," Delevan said. "Businesses understand that there is brand risk associated with the fallout from a breach."

PUBLISHED JAN. 14, 2014