Data breaches: Target is just the tip of the iceberg.

Target data breachI’m sure we aren’t the only family who’s had to suffer through the aftershocks of Target’s infamous Great Thanksgiving Weekend Data Breach that occurred in late 2013.

According to news reports, as many as 40 million Target credit cards were exposed to fraud by the data breach.  And as it turns out, the initial reports of nefarious doings were just the beginning.

Even after being given a new credit card number, my family has had to endure seemingly endless rounds of “collateral damage” for more than a year since, as Target’s very skittish credit card unit staff members have placed card-holds at the drop of a hat … initiated phone calls to us at all hours of the day … and asked for confirmations (and reconfirmations) of merchandise charges.

Often, these unwelcome communications have occurred on out-of-town trips or whenever someone in the family has attempted to make an innocuous online purchase from a vendor based overseas.

It’s been altogether rather icky — in addition to being a royal pain in the you-know-where.

But our experience has hardly been unique.  Consider these scary figures when it comes to data breaches that are happening with businesses:

  • On average, it takes nearly 100 days to detect a data breach at financial firms. 
  • It takes nearly 200 days to do so at retail establishments.

Those unwelcome stats come to us courtesy of a multi-country survey of ~1,500 IT professionals in the retail and financial sectors.  The study was conducted by the Ponemon Institute on behalf of network security and software firm Arbor Networks.

The next piece of unsettling news is that, even with the long “dwell” times of these data breaches, the IT professionals surveyed aren’t optimistic at all that the situation will improve over the coming year.  (Nearly 60% of those working in the financial sector aren’t optimistic, as do a whopping ~70% in retail.)

It’s doubly concerning because companies in these sectors are such obvious targets for hack attacks.  The reason is simple:  The amount and degree of customer data stored by companies in these sectors is highly valuable on the black market — thereby commanding high prices.

It makes it all the more lucrative for unscrupulous people to make relentless attempts to hack into the systems and extract whatever data they can.  IT respondents at ~83% of the financial companies reported that they suffer more than 50 such attacks in a given month, as do respondents at ~44% of the retail firms.

The impact on companies isn’t trivial, either.  Another study released jointly just last week by Ponemon and IBM, based on an evaluation of ~350 companies worldwide, finds that the average data breach costs nearly $160 for each lost or stolen record.  And that’s up over 6% from a year ago.  (The Target breach cost substantially more on a per-record basis, incidentally.  And for healthcare organizations, the average cost is well over $350 per record.)

dbWhat can be done to stem the endless flood of data breach attacks?  The respondents to this survey put the most faith in technology that monitors networks and traffic to stop or at least minimize these so-called advanced persistent threats (APTs).  More companies have been implementing formalized incident response procedures, too.

As Dr. Larry Ponemon, chairman of the Ponemon Institute has stated, “The time to detect an advanced threat is far too long; attackers are getting in and staying long enough that the damage caused is often irreparable.”

Clearly, more investment in security tools and operations would be advisable.

Anyone else care to weigh in with opinions?

3 thoughts on “Data breaches: Target is just the tip of the iceberg.

  1. Things will not change until pursuing the bad guys and protecting the customer becomes a priority. Even in the case of the physical theft of a card, checking ID — even on large purchases — is a thing of the past.

    The bulk collection of data by government, insurance companies and businesses, along with the relentless push to do everything online, makes us sitting ducks. My Verizon and Care First accounts were hacked — the only two things I have ever done electronically and against my better judgement. Now I have no online accounts and pay a “paper bill” fee to some of my vendors.

    I have made it hard for myself so that it is hard for others. I have to physically walk into a bank in order to make a withdrawal. But it is well worth the peace of mind.

  2. I was a victim of identity theft the first time in 2001 … again in 2003 … then at least 5 times, my credit card has been replaced because the number was stolen (it was never out of my possession).

    The only thing you can do to protect yourself is put a security freeze on your three credit reports. I did that after 2003 and now no one can open an account in my name…not even me without temporarily unfreezing. It’s a pain, but it works.

    As an ID theft victim, that service is free to me, but it’s worth the $10 you might have to pay to do the same. I also use just one credit card so that it’s easier to track activity.

    I have NEVER used a debit card. I know hackers have my info from Target, The Home Depot and other breaches, but there is little they can do with just my credit card number.

    Bottom line: You have to protect yourself. No one else is going to do it.

  3. It seems to me the question is this: How long can financial institutions and large retailers continue to take these enormous hits?

    It’s not only the money — which is considerable — it’s the integrity of valuable brands.

    Just think of the damage done to Target. Is there really some way to get ahead of hackers and stay there? People have been saying we can do that for well over a decade now, but with no (or very little) success. We’re getting to the point where many people understandably don’t want to use their bank cards online. Others don’t even want to use them in stores, unless they absolutely have to (see the other comments on this post). Online commerce has been touted as the future of retail. We’ll see.

    One other thing that concerns me is this new business of replacing PINs with fingerprints. If that ever happens, when somebody mugs you and takes your credit/debit card or iPhone, he or she might well pull out some pruning shears and take your index finger(s), too!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s