Wednesday, July 11, 2018
Security analysts criticized Macy's for failing to adequately protect consumer data and privacy, calling the company's remedial measures "too little, too late." John Gunn, chief marketing officer at security and e-signature solutions provider OneSpan, noted that most enterprise-scale retailers have already taken necessary steps such as multifactor authentication to secure their card data environments. He called for additional regulations to ensure all merchants follow suit.
"Macy's declaration that they have added additional security measures as a precaution is like saying you have added fire extinguishers after the building has burnt to the ground," Gunn said. "Private citizens have no way of knowing if the firms that they have trusted are implementing proper security measures and the frequency with which breaches continue to occur would indicate that this is not the case."
In a July 2, 2018, letter to the New Hampshire Department of Justice, Michael McCullough, Macy's chief privacy officer and vice president of information management, said security teams blocked malicious traffic on June 11 within six hours of detecting suspicious activity. "Within 24 hours on June 12, we blocked access to the relevant customer profiles, purged all payment card data from the profiles and blocked the profiles until our customers changed their passwords," he wrote.
In a June 26 notification letter to consumers, McCullough advised potentially affected customers to regularly review account activity and credit reports. "Because we believe that the unauthorized third party used your valid username and password to log in to your profile and the third party obtained your credentials from a source other than Macy's, we strongly encourage you to change your password for any online account for which you used the same username and password," he wrote. "In addition, it is always a good idea to ensure passwords to your online accounts are unique, changed regularly and that the same or similar passwords are not reused."
As an added precaution, Macy's is offering customers a year of free credit monitoring and repair services. Dedicated investigators will help recover financial losses, restore credit and ensure that compromised identities are returned to their "proper condition," the company stated. Additional protections include identity theft monitoring, phone alerts and up to $1 million in identity theft insurance policies.
In his letter to the New Hampshire DOJ, McCullough stated the attacker had attempted to access encoded payment card numbers and expiration dates, "the majority of which were for Macy's Proprietary Cards that can only be used at Macy's Inc. entities."
Matthew J. Donnelly, vice president of security and solutions at FreedomPay Inc., said theft of personally identifiable data is just as egregious as credit card theft, because information such as Social Security numbers, addresses and income levels can be used to steal identities. "The recent Adidas hack didn't get much press because they didn't release credit card data," he said. "Private-label credit card breaches may not result in the same fines, but they still affect people."
Donnelly said organizations need to take security seriously and go beyond simply checking a box or getting through an annual audit. He expects to see more overlap in data sharing as service providers strive to make consumer payments frictionless and seamless. "Companies need robust technical infrastructures and data erasure procedures," he said. "They need to stop treating security as an operational expense."
Europe's recently implemented General Data Protection Regulation (GDPR) was designed to protect European citizens but is impacting U.S. companies, Donnelly noted. The regulation became law on May 25, 2018, and gives individuals more say in how companies use and store their personal data.
"GDPR is great for consumer privacy and protection, but IT and security professionals need to know who to contact in each state," he stated. "Colorado and California have just enacted new laws that focus on PII. My industry colleagues expect to see similar measures in other states. Compliance managers may have to triple their staff to meet the new requirements."
Donnelly said FreedomPay customers are required to use all available security tools, as opposed to selectively implementing encryption and tokenization methods. "Security is an all-in-one proposition," he said. "We don't want to be in the news with you when you get breached."
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
