The Green Sheet Online Edition
January 27, 2014 • Issue 14:01:02
Target hack underscores importance of breach reporting
As Target Brands Inc. is finding out – following the high-profile data breach that occurred at its stores over the 2013 holiday shopping season - breaches are embarrassing and expensive. Several class-action lawsuits have been filed against Target to date.
On Jan. 7, 2013, a class action was filed in the U.S. District Court for the District of Oregon at Portland. Among the suit's claims is that security investigator Brian Krebs reported on the 40 million bankcard compromise before Target notified its customers of the breach.
On Jan. 10, Target raised the number of affected customers to 70 million, and Neiman Marcus admitted it, too, had experienced a data breach but did not disclose the number of affected customers. At the same time, media reports indicated certain outlet mall retailers also experienced breaches, but the stores were not named.
It will be a long, costly process for Target and other retailers to ensure that further breaches do not occur and to reassure a jittery public about shopping at affected stores. Forensic investigations must pinpoint the sources of breaches and security vulnerabilities must be remedied.
Ross Federgreen, founder of data security firm CSR, pointed to data breach reporting as another process that can cost compromised retailers a minimum of $10,000. By law, businesses must submit breach notifications to federal, state, local and sometimes international agencies. Following a breach, one of CSR's clients had to submit 60 reports. "That's highly atypical," Federgreen said, adding that three to five reports per incident is typically required.
According to Federgreen, larger businesses are more diligent in reporting breaches than smaller ones. "The vast majority of small and middle-sized companies: one, may not even know that breaches have taken place; and two, many times they sweep them under the carpet," he said.
The consequences of not reporting breaches can be drastic, with "very serious dollars" assessed in penalties, Federgreen noted. Additional damages include class-action lawsuits, years of federal oversight, civil and possibly criminal prosecution, not to mention reputational damage and loss of sales, he said.
On Jan. 7, 2013, CSR reported that the U.S. Patent & Trademark Office issued CSR a patent for the CSR Breach Reporting Toolkit. Federgreen said the toolkit is an automated service that manages and expedites the reporting process for small and midsize businesses.
"All of these entities that have, or suspect breaches, have significant reporting requirements in a very short time window," Federgreen said. "And it's literally impossible for small and middle, and frankly for large companies, to do it without the aid of large battalions of folks."
While large companies can afford to have breach response teams, smaller businesses don't have that luxury. "The vast majority of companies simply cannot, and they are subject to breaches, if not more of them," Federgreen said. He added that the extension of breach reporting requirements into the realm of suspected breaches only adds to the complexity because "nobody, including the courts, has a uniform definition of what that threshold of suspect really means."
Medical data, ACH vulnerabilities
Federgreen also noted that only 4 to 7 percent of breaches are bankcard related, while over 90 percent of hacks target other types of personally identifiable information, such as Social Security and driver's license numbers, dates of birth and health records.
Medical fraud is the most prevalent form, according to Federgreen, with fraudsters stealing Medicare numbers and collateral data that result in the theft of billions of dollars annually. Compared with the electronic payment processing infrastructure, medical information networks are not as secure, he said.
One weak point in electronic payments is in the area of automated clearing house (ACH) transactions, such as check payments. Federgreen said banks' ACH networks are secure if not infallible, and the danger lies in security vulnerabilities of ACH payment originators.
For instance, when a consumer sets up a recurring monthly payment at a check cashing business, the check casher puts the consumer's bank routing and account number on file
before submitting the debit request to the bank. According to Federgreen, that ACH transaction and routing information is often not stored by the originator in a secure database, making it easy to hack, which gives fraudsters ready access to bank accounts.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.