This article is from the source 'guardian' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.theguardian.com/commentisfree/2014/may/06/target-credit-card-data-hackers-retail-industry

The article has changed 2 times. There is an RSS feed of changes available.

Version 0 Version 1
What Target and Co aren't telling you: your credit card data is still out there What Target and Co aren't telling you: your credit card data is still out there
(4 months later)
Target wants you to know that you can trust it again. Target wants you to know that you can trust it again. Nearly seven months after the second biggest retailer in America ignored multiple alarm bells, allowing thieves to virtually hijack the cash registers at some 1,800 stores and siphon at least 40m credit and debit card records plus contact info for more than 70m customers, CEO Gregg Steinhafel is out, and the company has pledged to spend $100m upgrading the security of its checkout system.
Nearly seven months after the second biggest retailer in America ignored But Monday's mea culpa papers over problems still endemic throughout the American retail industry: an over-reliance on in-store technology rather than cybersecurity experts in the boardroom, and a tendency to underestimate the lengths to which bad guys will go to steal anything that isn't properly nailed down.
multiple alarm bells, allowing thieves to virtually hijack the cash registers Ever since I began chasing leads around the holidays that led to the exposure of the Target breach, industry analysts told me they couldn't believe it. After all, they reasoned, this was a big-box giant that had invested almost more than any other retailer in technologies to help prevent such an attack or at least to let the company know the minute they'd been had.
at some 1,800 stores and siphon at least 40m credit and debit card records plus It's now clear that Target and other major retailers have been spending money in the wrong places and that they've left a gaping hole in the internet for hackers to keep stealing yours. By the time the industry grasps that a bottomless budget for security software, hardware and services means little if you don't have the empowered geeks to help recognize a breach early on, it may already be too late.
contact info for more than 70m customers, CEO Yes, Target is updating its cash registers to use so-called "chip-and-pin" technology, which makes it far more difficult and costly for crooks to create counterfeit credit cards ... while doing absolutely nothing to prevent the theft of the card data itself. The US is already embarrassingly far behind the rest of the world in its adoption. And as every other country that long ago moved to chip-and-pin can attest, this approach alone shifts more of the fraud to e-commerce transactions, where merely knowing a card number and expiration date is enough to push through gobs of fraudulent shoe purchases.
Gregg Steinhafel is out, and the company has pledged There is an easy fix: if Target or Wal-mart adopted end-to-end encryption, the incentive for fraudsters to target payment terminals at all would be effectively removed, instantly. The data gets encrypted, and hackers have to go somewhere else the bank or a processor for a shot at your information. But there has been far too little discussion in the retail industry about adopting this additional security protection mostly because it's much more costly to justify the expense in the short run.
to spend $100m upgrading the security of its checkout system. What Target and its competitors haven't mentioned is that Visa and MasterCard have essentially mandated the adoption of chip-and-pin, with strict liability rules set to take effect in October 2015 indeed, that the big-boxers been kicking the can down the road for years. So thousands of hackers already know they've got little more than a year to exploit a lack of credit- and debit-card security that spans multiple major US retailers, and they are almost surely working overtime to probe the defenses of even more than that.
But Monday's mea culpa papers over problems still The retail industry has long viewed physical security including the prevention of theft by employees and contractors as a more present and costly problem than cyber crime. But the distinction between physical and cyber security is quickly eroding, if indeed there ever was one. Virtually all aspects of retail operations are connected to the internet these days: when the security breaks down, the technology breaks down and if the technology breaks down, the business grinds to a halt. Not that you would ever know it by looking at how companies spend their scarce security budgets locking down technology they don't even rely upon.
endemic throughout the American retail industry: an over-reliance on in-store It's been nearly five months since my reporting on the holiday breach went public, and Target is still searching for a Chief Security Officer (CSO) or Chief Information Security Officer (CISCO). In this respect, it's not unlike the rest of the industry: take a look at the executive leadership pages for the major retailers and you won't find anyone in charge of security on the list even at other retailers that have suffered similar breaches in recent months, including Neiman Marcus, Michaels Stores and the nationwide cosmetics chain Sally Beauty. True, in almost all cases the security chief reports directly to the Chief Information Officer (CIO), but perhaps given the target being painted on the entire world of American retail, the hierarchy should work the other way around.
technology rather than cybersecurity experts in the boardroom, and a tendency Based on my reporting, there are indications that US retail chains have begun poaching each other's best cybersecurity experts. This is an encouraging sign, but without a clear seat at the table for top security executives, those alarms are likely to continue to go unheard over the demands of those in the marketing department.
to underestimate the lengths to which bad guys will go to steal anything that Traditionally, CSO and CISO positions have been viewed as the requisite "fall guy" jobs the sacrificial lamb who gets culled from the herd when, say, 10m customers lose their information to hackers and their trust in your company. The first executive head to roll at Target wasn't Steinhafel it was the company's CIO, Beth Jacob, who was also replaced last week. Maybe if the corporate IT department was trusted and empowered rather than vilified and thrown on the street, the folks running the real cybersecurity outfits in Silicon Valley and elsewhere, who know where to look for the hackers waiting to pray on your digital wallet would be sending in their resumés.
isn't properly nailed down. Or maybe you should ask Greg Steinhafel if he's worried that you can't, in fact, trust Target again. The newly minted ex-CEO could reap anywhere from $10 million to $55m in executive compensation. That works out to roughly 25 cents to more than a dollar in a golden parachute for each customer credit and debit card that was stolen on his watch.
Ever since I began chasing leads around the holidays that led
to the exposure of the Target breach, industry
analysts told me they couldn't believe it. After all, they reasoned, this was a
big-box giant that had invested almost more than any other retailer in
technologies to help prevent such an attack – or at least to let the company
know the minute they'd been had.
It's now clear that Target and other major retailers have
been spending money in the wrong places – and that they've left a gaping hole
in the internet for hackers to keep stealing yours. By the time the industry
grasps that a bottomless budget for security software, hardware and services
means little if you don't have the empowered geeks to help recognize a breach early on,
it may already be too late.
Yes, Target is updating its cash registers to use
so-called "chip-and-pin" technology, which makes it far more
difficult and costly for crooks to create counterfeit credit cards ... while
doing absolutely nothing to prevent the theft of the card data itself. The US
is already embarrassingly
far behind the rest of the world in its adoption. And as
every other country that long ago moved to chip-and-pin can attest, this
approach alone shifts more of the fraud to e-commerce transactions, where
merely knowing a card number and expiration date is enough to push through gobs
of fraudulent shoe purchases.
There is an easy fix: if Target or Wal-mart adopted
end-to-end encryption, the incentive for fraudsters to target payment terminals
at all would be effectively removed, instantly. The data gets encrypted, and hackers have to go somewhere else – the
bank or a processor – for a shot at your information. But there has been
far too little discussion in the retail industry about adopting this additional
security protection – mostly because it's much more costly to justify the
expense in the short run.
What Target and its competitors haven't mentioned is that
Visa and MasterCard have essentially mandated the adoption of chip-and-pin,
with strict
liability rules set to take effect in
October 2015 – indeed,
that the big-boxers been kicking the can down the road for years. So thousands of
hackers already know they've got little more than a year to exploit a lack of
credit- and debit-card security that
spans multiple major US retailers, and they are almost surely working
overtime to probe the defenses of even more than that.
The retail industry has long viewed physical security –
including the prevention of theft by employees and contractors – as a more
present and costly problem than cyber crime. But the distinction
between physical and cyber security is quickly eroding, if indeed there ever
was one. Virtually all aspects of retail operations are connected to the
internet these days: when the security breaks down, the technology breaks
down – and if the technology breaks down, the business grinds to a halt. Not that
you would ever know it by looking at how companies spend their scarce security
budgets locking down technology they don't even rely upon.
It's been nearly five months since
my reporting on the holiday breach went public, and Target is still searching
for a Chief Security Officer (CSO) or Chief Information Security Officer
(CISCO). In this respect, it's not unlike the rest of the industry: take a look
at the executive leadership pages for
the major retailers and
you won't find anyone in charge of security on the list –
even at other retailers that have suffered similar breaches in recent months,
including Neiman Marcus, Michaels Stores and the
nationwide cosmetics chain Sally Beauty. True, in almost all cases the
security chief reports directly to the Chief Information Officer (CIO), but
perhaps given the target being painted on the entire world of American retail, the hierarchy
should work the other way around.
Based on my reporting, there
are indications that US retail chains have begun poaching each other's best
cybersecurity experts. This is an encouraging sign, but without a clear seat at
the table for top security executives, those alarms are likely to continue to
go unheard over the demands of those in the marketing department.
Traditionally, CSO and CISO positions have been viewed as
the requisite "fall guy" jobs – the sacrificial lamb who gets culled from the
herd when, say, 10m
customers lose their information to hackers and their trust in your company. The first
executive head to roll at Target wasn't Steinhafel – it was the company's CIO,
Beth Jacob, who was also replaced last week. Maybe if the corporate IT
department was trusted and empowered rather than vilified and thrown on the
street, the folks running the
real cybersecurity outfits – in Silicon Valley and elsewhere, who know where to look
for the hackers waiting to pray on your digital wallet – would be sending in
their resumés.
Or maybe you should ask Greg Steinhafel if he's worried
that you can't, in fact, trust Target again. The newly minted ex-CEO could reap anywhere
from $10 million to $55m
in executive compensation. That works out to roughly 25 cents to more than
a dollar in a golden parachute for each customer credit and debit card that was stolen on his watch.