I’ll keep this one about the target breach really short and simple. It’s really just a follow up to the blog I wrote about whether Target and other retailers should invest the money to adopt new technology to preventatively fight fraud. In that blog I asked the question: “Is it worth $100 million to implement chip and PIN technology?” And my answer was a resounding, “YES!”
Just in case anyone needs any more evidence, take a look at Target’s earnings report that was released in February. Target reports that its net earnings were down $520 million in the fourth quarter, down 46 percent from the same period a year earlier. In a huge understatement, Gregg W. Steinhafel, Target’s chief executive, said, “Results softened meaningfully following our December announcement of a data breach.”
Today I served as the keynote identity theft speaker for the Fort Worth Speakers Foundation, here in balmy Texas (well, compared to Montana, where I spoke last week). After the main presentation, I fielded a range of questions on all topics. One woman asked me this: “At what point is fraud committed as a by product of the Target breach no longer Target’s fault?” The question was highly intelligent and the answer is very revealing.
When word got out about the massive security breach that occurred at Target in December of 2013, and which could wind up being the largest in U.S. history, many speculated that shoppers would dramatically change their habits. After all, nearly 1 out of 3 Americans were affected.
But a recent poll conducted by the Associated Press shows that our intentions don’t necessarily match our actions. The AP-GfK Poll, which was conducted in January and involved interviews with 1,060 adults, shows that the majority of Americans polled say they fear becoming victims of theft after the breach.
It’s no surprise that identity theft once again tops the “Dirty Dozen” tax scams put forth by the IRS for 2014. They warn that if an identity thief has access to your personal information, such as your name, Social Security number or other identifying information, he or she may use it to fraudulently file a tax return and claim a refund in your name. Think of the implications for the 110 million victims of the recent Target data breach as well as victims of the hundreds of other breaches at other retailers, universities, healthcare providers, government agencies and so on.
KrebsOnSecurity reports that the information from the Target breach alone has reportedly flooded underground black markets and cards are being sold from around $20 to more than $100 each. This data is being sold in hundreds of online “stores” advertised in cybercrime forums. A fraud analyst at a major bank was able to buy a portion of the bank’s accounts from such a store.
If you are one of the 40 million customers who have used a credit or debit card at Target stores in the United States between November 27 and December 15, you’d better start checking your accounts for fraudulent activity. Target confirmed that the data stored on the magnetic strip of cards (customer names, debit or credit card numbers, and card expiration dates) were taken, along with the three-digit security codes (CVVs) often imprinted on the backs of cards.
The type of data stolen would allow thieves to create counterfeit credit cards and, if pin numbers were intercepted, would also allow thieves to withdraw cash from ATM machines. Only in store purchases are at risk, so online shoppers need not worry.
Target spokeswoman Molly Snyder would not comment on how customers’ data were stored or encrypted prior to the attack, saying that would be part of the ongoing investigation. Target immediately notified law enforcement authorities and financial institutions, and the issue is being investigated by the Secret Service and a third-party forensics firm.
How to Protect Yourself from the Equifax Data Breach
Equifax, one of the three major consumer credit reporting agencies disclosed that hackerscompromisedSocial Security and driver’s license numbers as well as names, birthdates, addresses and some credit cards on more than 143 million Americans. If you have a credit profile, you were probably affected.
Credit reporting companies collect and sell vast troves of consumer data from your buying habits to your credit worthiness, making this quite possibly the most destructive data security breach in history. By hacking Equifax, the criminals were able to get all of your personally identifying information in a one-stop shop. This is the third major cybersecurity breach at Equifax since 2015, demonstrating that they continue to place profits over consumer protection. Ultimately, their negligence will erode their margins, their credibility and their position as one of the big three.
Premera BlueCross BlueShield
Health insurance company Premera BlueCross BlueShield said in March that it had discovered a breach in January that affected as many as 11.2 million subscribers, as well as some individuals who do business with the company. The breach compromised subscriber data, which includes names, birth dates, Social Security numbers, bank account information, addresses and other information.
February Cyber Breach
Multi-Bank Cyberheist
In February, a billion-dollar bank cyberheist was discovered, affecting as many as 100 banks around the world. The breaches, discovered by Kaspersky Lab, infiltrated the banks’ networks using tactics such as phishing and gaining access to key resources, including employee account credentials and privileges. The cybercriminal ring, known as Carbanak, then used those credentials to make fraudulent transfers and make hijacked ATM machines appear legitimate as they funneled more than $1 billion into their own pockets. Anthem
Anthem revealed a breach in February that exposed 80 million patient and employee records. Anthem said the breach occurred over several weeks, beginning in December 2014, and could have exposed names, date of birth, Social Security numbers, health-care ID numbers, home addresses, email addresses, employment information, income data and more. It said it did not believe banking information was taken. The Wall Street Journal reported that Anthem had not encrypted the data that was accessed by hackers.
For the second time in less than a year, the Federal Office of Personnel Management (OPM) has experienced a significant government data breach. In this go-round, it is believed that the data of nearly 4 million past and current federal workers were compromised. This is a staggering number, and an even greater disaster. The data at risk includes “personally identifiable information” (PII) such as people’s names, Social Security numbers, dates and places of birth, and current and former addresses.
In a separate, but related breach in which hackers gained access to information on military personnel seeking security clearances, data thieves may also have accessed information about job assignments, performance ratings and training information, applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences and names of neighbors and close friends. Pretty much everything a foreign spy agency would need to compromise national security.
Get monthly strategies and tips for protecting yourself and your business delivered right to your Inbox. Signup now and you'll immediately receive John's 7 Survival Strategies for Starving Data Spies!