Wed, Jan 22, 2014

Unusual Challenges: What Are the Implications for Retail Data Breaches?

To really understand a person’s problems, you need to walk a mile in his or her shoes – at least, so the saying goes. In the case of the Target breach, your organization can potentially learn a lot from walking a mile in a breached organization’s proverbial shoes. This event is turning out to be a game changer in more ways than one, and all organizations with a vested interest in keeping Personally Identifiable Information (PII) safe really should take note.

To begin, it’s important to note that the Target breach has been inevitably compared to the TJ Maxx (or TJX) breach ad nauseam. Yes, they were both very large breaches of credit card information. But retail data breaches have a certain “in the now” element that makes TJX yesterday’s news almost to the point of irrelevance – particularly when you consider just how quickly media coverage, consumer sentiment, regulatory oversight and legal implications have evolved during this breach alone.

Kroll typically looks at four separate factors when starting the analysis of the potential impact of a breach. Each event is different and therefore each factor has a different level of impact or risk to the organization, but all of these factors will come into play in some fashion:

  • How did the data breach occur?
  • What was the size of the breach?
  • What type of PII/PHI was exposed?
  • Who is the impacted population?

Admittedly, there are certain specifics (particularly as to “how” the breach occurred) that are not publicly known, but the implications of what’s known suggest that the most important factor in the Target breach is size. This is a large breach by anyone’s standards, and subsequent reports indicate that the total number of individuals impacted may be more than double the original estimate.
In addition to the effect on scope and cost of breach notification efforts, a breach of this size will garner lots of media attention. To make matters worse, the event happened during the busiest shopping season of the year, making it a perfect topic for discussion.

But size of the breach is not the only important factor in this case, the type of PII/PHI exposed has been quite a can of worms for Target. Lost credit and debit card information can affect the consumer in many different ways, but it should be noted that a breach of this type of information also directly affects banks and card issuers, too. These institutions are tasked with things like vigilantly watching account activity or issuing new cards and numbers.

Because of the size of the breach and reports of subsequent activity, it was reported that some banks began limiting charges and ATM withdrawals on debit cards, which places additional burden on consumers at the holidays, usually a period of increased spending. This speaks to the last factor, “who is the impacted population?” and in Target’s case, they have a very diverse group that will be affected in many different ways, further complicating their response.

But, of course, the breached information didn’t stop there the most recent revelation has been that hackers also stole additional guest information, including names, addresses and emails. This increases the possibility that the thieves might be able to complete a full “profile” of information on the consumer, through phishing or other techniques. The type of PII/PHI exposed is a very large issue which is discussed further in another post.

Target continues to move forward with notification of affected populations, and has thus far maintained good communication with the media, affected consumers, and state attorneys general, although clearly there has been some increased regulatory scrutiny, likely because there are few details surrounding the first factor “How did the breach occur?” Two state senators have already called upon Target to share further information on this point.

The Target event is a breach with unusual challenges, so it is difficult to say whether it is an indicator for future large retail breaches; however, all industries should take note of the speed with which class action lawsuits have popped up, the quick scrutiny of regulators and, more positively, the interest in retail and financial institutions working together to solve the very expensive problems breaches can cause.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.