Cyber(in)security: The Perils of Preserving Customer Data

Posted on 02-24-2014 by
Tags: Real Law

Brought to you by the Real Law Editorial Team

“Be Prepared” is one of the world’s most enduring mottos. It has been used, with international and organizational variations, by millions of Boy Scouts—and later Girl Guides and Girl Scouts—for over a century.

But like another famous motivational maxim—Nike’s “Just Do It,” which was created by an ad agency in 1988—the venerable Scout motto also has a place beyond its original purpose. Those in positions of leadership, for example, would recognize how much—consciously or unconsciously—the expression guides their conduct.

Yet as recently as just a few years ago, asking corporate directors, senior executives and general counsel to identify the toughest risk management issues they face likely would have prompted references to liquidity concerns, regulatory compliance or bad debt, for example. Few might have given any thought to including cybersecurity among their most pressing concerns.

That’s no longer the case. While a handful of familiar issues still demand constant attention, the imperative of having effective information security measures aimed at preventing data loss is increasingly top of mind for many businesses and organizations.

Into the Breach

Financial services firms and major U.S. retailers in particular may be in the forefront of giving cybersecurity greater emphasis, but they are not alone in recognizing the harsh reality behind such a shift: identify theft, denial of service attacks and other breaches are at an all-time high, and the costs of those incidents are soaring.

Indeed, in the words of one security expert, it’s a war out there with an enemy that poses “a formidable, organized and very sophisticated threat.” Moreover: “It’s no longer a question of if, but when an attack will occur and how best to ensure it doesn’t infiltrate sensitive accounts.”

For Minneapolis-based Target Corporation, the wake-up call for dedicating itself to improved information security came as a result of a massive pre-Christmas data breach, the consequences of which continue to reverberate.

Between November 27 and December 15, 2013, point-of-sale terminals at the country’s second-largest discount retailer were infected with malicious software that extracted customer card numbers and other sensitive details. Altogether, some 40 million credit and debit cards were compromised, along with 70 million other records containing personal information such as the street and email addresses and telephone numbers of customers.

An Ongoing Threat

Soon after early details of the Target breach were released, Dallas-based luxury retailer Neiman Marcus admitted that customer cards had been recently compromised at its stores. The company eventually confirmed that intruders, who were suspected of using the same malware that had gone after Target, had tapped into its point-of-sale and computer systems for several months in 2013 and that the breach involved 1.1 million customer debit and credit cards.

Like Target, Neiman Marcus did not notice the data thefts on its own. A payment processor traced unauthorized charges to cards used at the company’s stores and notified the retailer.

Meanwhile, as news of the two incidents grabbed headlines around the world, a private cybercrime intelligence firm said it had uncovered at least six ongoing attacks on other well-known U.S. merchants. Sherman Oaks, CA-based IntelCrawler LLC had already alerted law enforcement officials, Visa Inc. and several large banks. The report reinforced the notion that a wider assault on U.S. retailer data was suddenly under way.

In fact, the threat has been ongoing for years, and it’s not just retailers that are at risk. Banks, credit unions, wealth management organizations, credit card companies and payment processors—indeed, anywhere that money changes hands, including legal offices—are just as vulnerable.

Adapting to New Realities

The reasons for such far-reaching exposure are not hard to understand. Terrie Cloud, senior vice president with Virginia-based International Consulting, Inc., which advises and assists U.S. and international banks and credit unions on a wide range of issues related to their essential systems and processes, says a large portion of the blame rests with companies and organizations that have been unwilling or too slow to adapt to change.

“For literally hundreds of years, financial institutions in particular have done a great job of working the physical threats they face,” says Cloud. “They’ve got alarm systems, dye packs and security cameras—the list goes on and on. But it’s a different game now. Electronic threats should be just as big a concern. And as technology changes, the bad guys get smarter and smarter. So banks and service providers have to continue to evolve and generate better security systems to protect themselves—and, more importantly, their customers’ data.”

Cloud’s view contradicts a notion that the recent spate of attacks is evidence that cybercriminals are outpacing the ability of companies to respond. On the contrary, the high-profile intrusions, as well as many breaches that go unreported, often take advantage of outdated systems or other weaknesses that could be remedied. For example, intruders gained access to Target’s system after stealing the login credentials of an HVAC contractor doing work for the company. Exploiting a low-level victim as an entry point to an organization’s network is a common tactic among cyberthieves.

Keeping Up with the Times

Another glaring vulnerability is the prevailing use of debit and credit cards that have magnetic strips. The United States is far behind other countries in adopting “chip-and-pin” cards—so-called for their use of an embedded integrated circuit or chip and the requirement for the user to enter a personal identification number (PIN) to authenticate transactions at point-of-sale terminals and automated teller machines, or ATMs.

Visa and MasterCard have mandated a U.S. switch to the newer cards—to replace those that still use magnetic strips—by 2015, which has prompted a lot of grumbling and stonewalling among those who will be affected.

“Again, I think it’s a fear of change,” explains Cloud. “For a long time, we’ve had cards with magnetic strips.” But he also acknowledges that many U.S. companies may be balking at the price tag of converting to the new technology.

“You’re asking every retailer to switch out their terminals for ones that work with chip-and-pin cards. Those terminals are a lot more expensive. You’re asking the processors to be able to process those transactions. And you’re asking banks and other financial institutions to reissue cards, which aren’t cheap. The average cost of a regular debit card is around 50 cents versus between $2 and $3 for a chip-and-pin card. Somebody, whether it’s the financial institution or the customer, has to pay for what is at least a 300% increase.”

No Methods Are Foolproof

Nor are chip-and-pin cards alone the answer to thwarting cybercriminals. The cards are proven to be more secure, but even they represent decade-old technology.

Also, the cards don’t change anything for transactions such as online shopping or banking, which is another reason that financial institutions and other organizations are experimenting with a range of alternatives—from using fingerprints or iris scans and facial recognition software to different types of behavioral modeling and cognitive profiling that establishes patterns in a user’s actions—for securely authenticating and authorizing users.

But those methods aren’t foolproof, either. They also raise concerns over privacy and the increased ramifications of a large-scale data breach.

In the Target and Neiman Marcus incidents, thieves got away with some personal information about customers, which was damaging enough; however, the outcry would have been even greater if it were known that other uniquely identifying data, such as fingerprints, were also stolen.

Upgrade or Face Liability Issues

In the meantime, the U.S. switchover to chip-and-pin debit and credit cards will undoubtedly call even greater attention to another looming problem. An estimated 95% of the world’s ATMs run using a version of the Windows XP operating system, support for which is slated to end in April 2014. That means official security updates and patches will no longer be issued by Richmond, WA-based Microsoft, leaving computers and other systems across the country potentially more vulnerable to hackers.

A significant number of airport and hospital systems, as well as government departments and agencies, utilities, businesses and even legal offices across the country, also continue to rely on versions of the Windows operating system that was first released in 2001 and received its last major update, Service Pack 3, in 2008.

Organizations and corporations, and anyone with a duty of care, such as medical practitioners and general counsel or attorneys at firms that accept credit card payments or use computers running Windows XP, may need to make some changes—and soon—to avoid possible liability issues.

If you found the above article to be helpful, you may be interested in the following information: