Fri, Dec 11, 2015

Ghosts of Retail Data Breaches: Past, Present and Future

“Without their visits,” said the Ghost, “you cannot hope to shun the path I tread.”

~ from the Charles Dickens’ classic, A Christmas Carol

The holiday season is upon us, and with it comes a barrage of bad tidings about cyber threats, retail data breaches and risks to consumers. While the cyber events of the past cannot be changed, and the problems of the present are ever-burdensome, the future is not marked in stone; it can be changed, when warnings are heeded, of course. With a nod to Charles Dickens, Kroll offers its own twist on the “ghosts” of data breaches past, present and future with a little wisdom thrown in for good measure!

Ghost of breaches past missteps to avoid

When Target announced last December that 40 million customers had been hit by its data breach, the resulting outcry was like nothing seen before. Customers, stockholders, the media, regulators, legislators and litigators the fallout has haunted Target for months. Target saw both sales and share prices drop at the end of 2013, and has since disclosed breach costs reaching over $150 million.

Looking back, some of the harshest criticism was aimed at the company for not disclosing the breach in a timely way and subsequently issuing updates that did little to shed light on the scope of the breach. By the time it announced in January that up to 70 million customers’ data had been compromised, it had squandered much of its credibility and goodwill with consumers and other stakeholders.

Word to the wise:

  • Tech tip: Strictly limit administrative access to your network. Any intersection of programs within your network, especially third party integrations, is a vulnerability that leaves the door open for malicious intruders
  • Policy tip: Create and practice your incident response plan so you’re ready to immediately mobilize resources if a breach occurs.
  • Communications tip: Ensure that your team includes trusted investigators and professionals who are knowledgeable in breach response, including public relations pros, to relay accurate and constructive communications with stakeholders.

Ghost of breaches present threat awareness is key

Of course, Target is not the lone retailer haunted by a data breach; Home Depot, Kmart, Michaels, Neiman Marcus and Supervalu have all reported data breaches, some as recently as last month.
As holiday shopping shifts into overdrive, the temptation — and opportunities — for hackers grows exponentially. If we could hang on the sleeve of the ghost of breaches present, we’d see retail hackers of all stripes working hard to take advantage of myriad data security vulnerabilities. For example, although chip and pin credit/debit cards may now be available in the U.S., their presence and use are still a bit of an apparition. Additionally, phishing emails and associated sites become ever more sophisticated and difficult to distinguish from legitimate companies.

Word to the wise:

  • Tech tip: Require multi-factor or two-step authentication for all remote connections. This extra level of protection makes it that much more difficult for potential cyber thieves to steal passwords or other identifying credentials. Other sound steps include application whitelisting to allow only known, legitimate applications and end-to-end encryption technology.
  • Risk tip: Consider obtaining cyber insurance coverage. Just the application process itself can be very helpful in identifying vulnerabilities and gaps in security unexpected and scary findings could be the motivation needed to make significant data security improvements in the nick of time. Many policies also require recommended practices (such as encryption) and include access to invaluable resources, such as experienced investigative teams, notification experts, and credit monitoring and remediation solutions.
  • Policy tip: Test and practice your response! Also known as tabletop exercises (TTX), these simulations can identify security gaps; instill greater confidence in your first responders; demonstrate regulatory compliance; and most importantly, can potentially reduce harms from an actual breach, including notification, remediation, litigation and reputational costs.

Ghost of breaches future changing fate

For retailers unprepared for a data breach, the aftermath can be bleak indeed. Companies can face reputational and brand damage as well as losses in customers, revenue and share prices, not to mention increased costs for litigation and regulatory penalties. For consumers, identity theft can be a huge headache, particularly if the only remedy provided is credit monitoring. Consider that 84.8% of identity thefts reported to the Federal Trade Commission in 2013 would not have been detected via credit monitoring alone. Credit monitoring is strictly limited to alerting the consumer to activity that has already occurred, and does nothing to assist if the activity turns out to be identity theft related.
Luckily, there is hope that, in Dickens’ words, “the shadows of the things that would have been, may be dispelled.” The key is for retailers to think beyond credit monitoring and instead explore how they can best serve customers whose data is lost or becomes compromised in their care.

Word to the wise:

  • Risk tip: Given the recent attention to what constitutes a proper consumer offering (i.e., California’s Assembly Bill 1710, which takes effect January 1, 2015, and includes controversial mandates regarding identity theft mitigation services), companies would be well-served to consider consumer remediation carefully. A risk-based approach assists breached organizations in looking at the facts of the breach, including what types of sensitive information were compromised, so that a relevant and useful offering can be developed and implemented.
  • Tech tip: Identity theft mitigation services encompass far more than credit monitoring. Look to various non-credit monitoring options that search for instances of sensitive information from a host of sources public records, pay day loans or check cashing services, and even “dark” websites known to be associated with criminal activity. These types of products will help consumers by monitoring more than just credit information and deliver the dynamic vigilance necessary to detect fraudulent activity.
  • Communication tip: Depending on the sophistication of the identity thieves, consumers may need in-depth help to restore their good name. Consider offering customized, one-on-one restoration services with verifiable experts like licensed investigators, who can help restore your consumers’ peace of mind as well as their identities.

One of our wishes is that no one suffers a data breach this holiday season and beyond, but we hope you find helpful the ideas and solutions shared in these visits with the ghosts of breaches past, present and future. Have a safe and happy holiday season!

“I told you these were shadows of the things that have been,” said the Ghost. “That they are what they are, do not blame me!”


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.