December 20, 2013|By Gregory Karp, Chicago Tribune reporter
Consumer data breaches, like the one involving millions of Target shoppers whose information was stolen in recent weeks, will continue to be a problem as long as hackers are at least as nimble, crafty and patient as corporate America, experts said.
"They don't have to carry a gun," said Jerry Irvine, chief information officer of Prescient Solutions in Chicago and a member of the National Cyber Task Force. "They sit in the corner of their apartment in their pajamas, eating Twinkies and drinking Mountain Dew and getting access to systems where they can get hundreds of thousands of credit cards."
Target Corp. said Thursday that thieves got access to about 40 million credit and debit card accounts. They stole card data from customers who paid for merchandise in stores with cards during the first three weeks of the holiday shopping season, from Nov. 27 to Sunday.
Stolen information included customer names and their credit or debit card numbers, along with the cards' expiration dates and three-digit security codes, Target said.
The breach, among the largest ever, did not affect customers who purchased items from Target.com.
Target, the third-largest U.S. retailer, did not disclose Thursday how its systems were hacked. Predators could have found a weakness in Target's computer network or through credit card services vendors.
Minneapolis-based Target said it was working with federal law enforcement and hired a forensics firm to investigate the incident and examine additional measures the retailer can take to help prevent other incidents.
"Target's first priority is preserving the trust of our guests, and we have moved swiftly to address this issue, so guests can shop with confidence. We regret any inconvenience this may cause," Target CEO Gregg Steinhafel said in a statement.
As the investigation continues, Target customers should be diligent about monitoring their credit and debit card account activity to spot fraudulent charges early, privacy and consumer experts say.
Unhappy customers weighed in Thursday, posting complaints on Target's Facebook page.
"Thank you Target for nearly costing me and my wife our identities, we will never shop or purchase anything in your store again," said one posting.
"Shop at Target, become a target," another said. "Gee, thanks."
The good news is, the theft did not include debit card personal identification numbers, or PINs, which would potentially allow direct access to cash in customer bank accounts. And no Social Security numbers were involved, which limits the chance of thieves opening new credit accounts in customer names, a more serious type of identity theft.
Security experts said the Target caper appeared to be sophisticated, as are many of the mass breaches. Retailers and the rest of corporate America have had trouble keeping up.
"The problem isn't any one industry; the problem is hackers," said Irvine, adding that some organized crime rings do nothing but cybercrime. "They have better tools to hack and get into information than we as an IT industry have to secure our information."
The value of such crime reaches into the hundreds of billions of dollars, Irvine said.
Retailers must comply with payment card technology standards, and Irvine said Target very likely was complying, "but it's impossible to be 100 percent secure," he said.
Some cybercriminals are extremely patient, infecting a target's weakest system with a small program that gathers information that leads to accessing a more crucial system, and so on.
"Some systems can be breached for years. I don't know if that's the case at Target, but that is the type of thing that occurs," Irvine said. "If you're going to make a billion dollars, why not take your time?"
Part of the problem with breaches is practicality — it's costly and complicated for companies to keep up with security, especially when equipment is spread out across the country at hundreds or thousands of stores, said Erik Bataller, principal security consultant at security and risk management firm Neohapsis in Chicago.
"Some organizations don't think the risk is worth the cost," Bataller said. "There are some realities you have to take into account."
Perhaps the Target breach will be a call to action for consumers to demand that retailers and other companies store less data about them and take stronger measures to safeguard data they do collect, Bataller said.
"We as users should really speak up, and expect and require that companies start to handle our data better and be transparent about what they're doing with our data," he said.
Mark Rasch, a former U.S. cybercrimes prosecutor, said most of the cyberattacks are viewed as a cost of doing business.
"But an attack that's targeted against a major retailer during the peak of the Christmas season is much more than that, because it undermines confidence," he said.
