Dyman Associates Risk Management: 10 lessons learned from major retailers' cyber breaches
There has been extensive adverse publicity surrounding what has become the largest data breach in the retail industry, affecting Target and two other U.S. retailers. In NovemberDecember 2013, cyber thieves executed a well-planned intrusion into Target’s computer network and the point-of-sale terminals at its 1,800 stores around the holiday season and successfully obtained not only 40 million customers’ credit and debit card information, but also non-card customer personal data for as many as 70 million customers. In addition, 1.1 million payment cards from Neiman Marcus and 3 million cards used at Michaels were reportedly exposed.
The respected Ponemon Institute announced this June it believes that hackers have exposed the personal information of 110 million Americans—roughly half of the nation’s adults—in the last 12 months alone, and this number reflects the impact of major retailer breaches and others in different governmental or business sectors, but does not include hacks revealed in
July-August 2014.
As we speak, there are news reports about the discovery of large quantities of personal information (including user names and passwords) mined from many websites by a Russianbased hacker group and new malware threats focused at retailers. According to a report released by the U.S. Department of Homeland Security, technology that is widely used to allow employees to work from home or permit IT and administrative personnel to remotely maintain systems is being exploited by hackers to deploy point-of-sale (PoS) malware that is designed to steal credit card data. This threat is being called “Backoff Malware”.
Homeland Security estimates it has been around since October 2013 with a very low antivirus detection rate at the time it was discovered, meaning that even systems with fully updated and patched antivirus software would not be able to identify Backoff as malicious malware.
Snapshot of Target
Target announced at the end of February 2014 that the company’s profit fell by 40% in the fourth quarter of 2013. The company reported $61 million pretax expenses related to the breach, but expected $44 million in cyber insurance payments against this figure. These expenses were incurred for legal costs, breach notification, forensics, and PR/crisis management to date. However, the worst financial costs are yet to come. A senior Gartner analyst estimated that the total exposure to Target could be $450–$500M, which considers lawsuits, regulatory investigations, breach response, fines and assessments, loss of revenue and security upgrades.
Both the cyber insurance and directors & officers insurance programs at Target are involved, since Target announced significant revenue/profit shortfalls caused by brand damage/customer fallout and costs to improve IT security. At least two derivative shareholder actions have been filed, which have triggered Target’s D&O insurance.
More than 100 lawsuits are pending against Target at this time, with many consumer class actions and some actions filed by individual financial institutions, claiming for costs of cancelling and reissuing compromised cards, absorbing fraudulent charges made on the cards, and the loss of anticipated fee income from the holiday season. There has been activity to consolidate these lawsuits into three groups of plaintiffs to facilitate the legal process. Allegations surround Target giving network