(Reuters) – A top retail trade group executive on Sunday called for tougher security standards that could mean more spending for the industry, its banks and business partners after a series of data breaches at major merchants.
Stores and card processing companies have reported a steady stream of security breaches for years without a major backlash from consumers, such as those disclosed by TJX Cos in 2007 and by Heartland Payment Systems Inc in 2009.
But the latest thefts – including attacks on Target Corp and Neiman Marcus – have involved a broad set of merchants and could mark a watershed moment for security standards as calls grow for changes in the protection of consumer information.
One sign of the change is a new enthusiasm for payment cards that store customer information on computer chips and require users to type in personal identification numbers.
Mallory Duncan, general counsel of the National Retail Federation that represents Target, Wal-Mart and other big stores, said in an interview on Sunday that the trade group encouraged its members to upgrade to the higher-security cards even though they cost more than old systems that store data on magnetic stripes.
The breaches are “unfortunate but we’re not entirely surprised,” Duncan said at his organization’s annual convention now being held in New York.
“The technology that exists in cards out there is 20th-century technology and we’ve got 21st-century hackers,” he said.
Duncan said the trade group had only made its backing for the higher-security cards public since the Target breach. Banks have quietly begun to offer the cards but mainly for customers to use while traveling. Big U.S. card networks led by Visa Inc will not require the higher security until next year at the earliest.
It is not clear the new “Chip-and-PIN” cards would have prevented the breaches at Target and elsewhere. At the very least they make stolen data harder to re-use, a reason the technology has caught on widely in Europe and Asia.
Investigators believe that hackers used malware that captured data on customers from the magnetic stripes on their payment cards. Since Target’s disclosure the more upscale store chain Neiman Marcus has said it also suffered an attack, and sources have told Reuters that at least three other well-known U.S. retailers have been breached but not come forward.
“I know that it is frustrating for our guests to learn that this information was taken, and we are truly sorry they are having to endure this,” Gregg Steinhafel, Target’s chairman, president and chief executive, said in a statement. “I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team.”
Friday’s announcement is the result of an ongoing investigation into the security breach, Target said. The company is working with the Secret Service and the Department of Justice to determine who was behind the attack. Spokesmen at the Secret Service and the Justice Department declined to comment on the investigation.
Target’s problems reflect a crisis in how customer data is protected, analysts said.
“It’s a little frightening. These bad guys are getting into some of the most secure retailers’ networks, and I’m sure it’s not going to stop at Target,” Litan said. “We need a fundamentally different paradigm here for how we manage security.”
But, with few details emerging about how the crime against Target was committed, it’s hard to say what solutions could have prevented this particular breach.
Shoppers whose personal and financial data was stolen — the exact number is unclear — are at higher risk of falling victim to scams or having their information misused. Target said the two types of data are not linked within its system.
But consumer advocates point to the fact that Target is an industry leader at data mining, the practice of analyzing customers’ information to find out more about their preferences and shopping habits.
“That makes this breach all the more frightening,” said Paul Stephens, director of policy and advocacy at Privacy Rights Clearinghouse, an advocacy group. The volume of information Target has on its customers raised the stakes, he said.
Experts said that with names and mailing addresses, thieves can use the credit cards for online purchases that require that information. On top of that, they can try to trick people into providing even more sensitive information, such as Social Security numbers, or hack into their computers.
The company said it doesn’t know how many customers have found fraudulent charges on their credit or debit cards, but individual stories and lawsuits are beginning to crop up across the country.
A California shopper filed a lawsuit against Target last month and hopes to include other shoppers in a class-action case. Last week, a credit union in Alabama also took action against Target, seeking compensation for costs that would arise from issuing customers new cards, as well as any fraudulent charges
Neiman Marcus confirmed Saturday that its customers are at risk after hackers breached the Dallas company’s servers and accessed the payment information of those who visited its stores.
The firm has offered few concrete details about the scope of the attack, such as what data were taken or how many customers may be at risk. Nor did it say whether data from any of the other retailers it operates — including Bergdorf Goodman, Horchow, Cusp and Last Call — were affected. In a statement, Neiman Marcus said it was informed of the breach in mid-December by its credit card processor and subsequently informed law enforcement officials, including the Secret Service. The company is taking steps to contain the breach and has “taken significant steps to further enhance information security,” the statement said.
Neiman Marcus spokeswoman Ginger Reeder declined to provide further information on the attack. A spokesman for the Secret Service also declined to comment.
The company apologized to its customers for the breach through messages on its Twitter feed and said that it is working to notify those whose cards were used fraudulently after visits to Neiman Marcus stores.
(Reuters) – The Syrian Electronic Army, an amorphous hacker collective that supports Syrian President Bashar al-Assad, claimed credit on Wednesday for hacking into the social media accounts of Internet calling service Skype.
The group also posted the contact information of Steve Ballmer, Microsoft Corp’s retiring chief executive, on its Twitter account along with the message, “You can thank Microsoft for monitoring your accounts/emails using this details. #SEA”
That message was an apparent reference to revelations last year by former National Security Agency contractor Edward Snowden that Skype, which is owned by Microsoft, was part of the NSA’s program to monitor communications through some of the biggest U.S. Internet companies.
A message posted on Skype’s official Twitter feed on Wednesday, apparently by the hacking group, read: “Don’t use Microsoft emails (hotmail, outlook), They are monitoring your accounts and selling the data to the governments. More details soon. #SEA”
Similar messages were posted on Skype’s official Facebook pages and on a blog on its website before being taken down in late afternoon. The SEA later tweeted out copies of the message “for those who missed it.”
(CNN) — Hackers appear to have posted account info for 4.6 million users of quickie social-sharing app Snapchat, making usernames and at least partial phone numbers available for download.
The data were posted to the website SnapchatDB.info. By late Wednesday morning, that site had been suspended.
The hack was seemingly intended to urge Snapchat to tighten its security measures. The anonymous hackers said they used an exploit created by recent changes to the app, which lets users share photos or short videos that disappear after a few seconds.
“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does,” the hackers said in a statement to technology blog TechCrunch.
- Millions of accounts compromised in Snapchat hack (wwltv.com)
- 4.6 million Snapchat users hacked in major New Year’s attack (pix11.com)
- Millions of Accounts Compromised in Snapchat Hack (fox40.com)
- Hackers compromise millions of Snapchat accounts (kvue.com)
- Snapchat hack: Millions of accounts compromised (q13fox.com)