When Hit With A Major Data Breach, Retailers Should Use The Buddy System

Written by Evan Schuman
September 16th, 2009

There’s a very old joke that when swimmers are about to go into shark-invested waters, they should always swim with a buddy. If a shark attacks, feed him your buddy. Retailers today, swimming in cyberthief-invested wireless zones, are discovering a similar guideline plays out when there is an attack against a large number of retailers, such as what happened with TJX, Hannaford, 7-Eleven and others in the Gonzalez cases.

In that instance, some 17 retailers were victimized, including at least one that has yet to be identified. The identified victim list is Target, J.C. Penney, TJX, BJ’s Wholesale, Boston Market, Sports Authority, Dave & Buster’s, Hannaford, 7-Eleven, Heartland, Office Max, Barnes & Noble, Forever 21 and DSW.

Despite those heavy-weight retail brands, only a couple have borne the vast majority of the costs and headaches associated with a breach. Why? Because the first one or two chains have to go through the expense of identifying the breached numbers and having them shut down and reissued. That task’s completion makes life so much easier on the others.

The amount of time that chain employees must deal with law enforcement plummets after the first one or two, as long as the means of attack is essentially the same (as it was in the Gonzalez cases). From a PR/brand damage perspective, the first two get the star treatment, while the others are—fortunately for them—sloughed off in media reports as “other retailers victimized include….” assuming they’re mentioned at all.

And the publicity—or lack of same—can also sharply influence who gets hit with the most serious lawsuits, another crucial cost and time-destroyer.

Mark Rasch, the former head of the U.S. Justice Department’s high-tech crimes unit who today serves as the principal at Secure IT Experts, points out that timing is everything.

“As a company, you always want to avoid being the first public victim of a hacker or attacker. You then bear the major expense of the investigation and the publicity associated with the data breach. By the time the public learns that there were other victims, they have already blamed you,” Rasch said. “Thus, when conducting an internal investigation of any attacks on your infrastructure, you want to look for patterns indicating whether the attack was targeted at you and you alone, or at others, and coordinate your investigation and disclosures with other victims and with appropriate law enforcement officials.“

Another keen observer of matters secure is Avivah Litan, security expert at Gartner. “This is a very good insight in terms of pointing out the incongruities and, frankly, the injustices associated with the costs of data breaches committed by the same criminal gang,” she said.

“It is true that the first incidents in a pack bear all the negative publicity and most of the costs associated with investigating the breach and dealing with the card brands,” Litan said. “It’s time that the costs get spread out equally. Not only across all affected breached entities (e.g., merchants and processors), but also across the card brands and card issuers for not providing a more secure payment system for merchants and cardholders to use in the first place.”

One senior IT security executive at a major retail chain said part of the buddy problem is that there is not nearly enough data being shared by the first victims in a massive breach. “What we are not seeing is an adequate clearinghouse of information on technical details of the breaches so we can craft specific intrusion detection and data loss prevention signatures based on the sufferings of others. This would help those of us who haven’t been hit, as it could help prevent future problems,” said the exec. “We’ve had to go to several vendors and processors to get the details we needed to ensure we are safe. It would have been helpful if some of that information (e.g., the use of Cyrillic in hacker code that can easily be picked up in DLP) had been provided to us earlier on by the payment card industry, processors or banks. While this is above and beyond PCI requirements, it would serve members and cardholders equally and could be accomplished without leaking details of the investigations at those retailers.”

Frustratingly, the advice to not be the first one or two retailers breached is likely to be of very little practical use to retailers. They will always try and avoid being a data breach victim. But if it happens, there’s little they can do to influence where in the line they fall. If retailers want some consolation, however, being a data breach also-ran is probably not a bad thing to be.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.