The recent disclosure that a large trove of customer information was stolen from Target, and now also from Neiman Marcus, points to growing vulnerabilities in cybersecurity. And experts say the problem is becoming more difficult to combat.
Avivah Litan, a security analyst at Gartner, says she's hearing from sources at retailers that the holiday-season data breaches were not limited to the 70 million-plus Target customers and untold number of Neiman Marcus shoppers.
"It's clear that there is a new bout of attacks," Litan says. She says data thieves struck several years ago at T.J. Maxx, J.C. Penney and Target and that they could be back, though it might be a different gang of thieves.
Litan blames, in large part, the magnetic payment strip system, which she says is more vulnerable than systems used by other countries around the world that have smart chips embedded in credit cards.
David Burg, leader of cybersecurity at PricewaterhouseCoopers, adds that part of the problem is rapid innovation.
"As we use more and more technologies to collaborate among businesses, or to connect with consumers using mobile devices and other kinds of applications that allow consumers to interface with various corporations, what you have is an attack surface that keeps increasing in size and complexity, making it very hard to secure," Burg says.
Burg says while there is a lot of pressure on retailers to alert consumers, regulatory and law enforcement authorities quickly, often there are delays because criminals work hard to cover their tracks.
"It's very hard to figure out what happened, how it happened and what the impact was," he says.
Tom Kellermann, a managing director at Alvarez & Marsal, a professional services firm, says the latest round of attacks indicate that even companies that invest heavily in sophisticated security systems are seeing new vulnerabilities from new sources — namely, rogue hackers who are buying readily available software tools on the black market.
"There's a massive consulting- and software-based industry that supports the shadow economy that makes it far easier for people who are not sophisticated to leverage these types of attacks," Kellermann says.
Kellermann says organized crime syndicates — especially in Eastern Europe — not only make money selling the malware but also use the hackers' channels to their own ends. They prod at a company's network, often hanging out for months undetected, and then plan their attack.
"From someone who has investigated major breaches in the past, I am suggesting that this campaign in particular definitely went on for months," he says.
The loss to consumers is often time spent getting reimbursement from their credit card companies. But for the retailers, Kellermann says the loss is "incalculable."
It costs about $200 per lost record to cover legal expenses and fines. In addition, as Target recently saw, a retailer's reputation takes a hit, and its stock can fall.
Doug Johnson, who oversees risk management policy for the American Bankers Association, says banks sustain losses as well. He says forensic investigations — as the FBI and Secret Service are conducting now on the Target and Neiman Marcus breaches — take a lot of time. In the end, it's often difficult to prove where the data leaked, and so banks often end up holding the bag.
"[Because] it's the financial institution that reimburses the customer for that fraud," Johnson says.
Target CEO Gregg Steinhafel apologized to customers on CNBC on Monday, saying Target would pay for credit monitoring and vowing to make things right for the consumers.