In January of 2014, Nieman Marcus card holders were made aware that their credit cards had been stolen through a security breach in the POS system. Not long before that, big box retailer, Target, made a similar announcement. These were only two of a rash of big data breaches to hit large databases recently. Cyberwarfare has been in the main stream discussion of cybersecurity journals and conference proceedings for a few years. The recent Christmas time series of malware attacks on point of service (POS) retail terminals at Target Inc. brought forth a disclosure of a number of exploited personal credit cards across numerous retailers, with Target being the first example to go public. This series of attacks has heightened the awareness of both the consumer and the retail and banking industry. The following will explore cybersecurity in the age of big data and will suggest some measures that can be taken to curb it in the future.
The theft of consumer data at Nieman Marcus was a wake-up call to how vulnerable the information that one chooses to share is to cyberattacks. The breach involved 1.1 million credit and debit cards (Harris, Perloth, & Popper, 2014). The malware used to initiate the attacks appears to be similar to that which was used to infiltrate Target’s systems, with another 110 million customers affected (Harris, Perloth, & Popper, 2014). The malware exploits a step in the credit card processing where the information is temporarily decrypted. The breech at Target may have involved stolen vendor electronic credentials. Thieves will often target low level employees and outside contractors to try to gain access to the system (Vuiker, 2014).
The FBI reports that the types of cyberattacks experienced by Nieman Marcus and Target customers are likely to occur for the next three to five years (Morrison, 2014). The volume of transactions that go through retail POS systems makes them an attractive target. The software to perpetrate these thefts are available for under $6,000 (Morrison, 2014). The potential gain is high. The only risk that the criminals see is the risk of getting caught. The website intrusion takes the form of phishing e-mails, compromised websites, and other common infection vectors (Morrison, 2014). The recent attacks on the Nieman Marcus and Target systems represents a shift in liability to the retailer. This shift in liability will make the adoption of EMV technology as the more attractive alternative to the liability.
What is worse about these attacks is that the reaction of the major retailers, who tried to keep the data theft quiet so that is did not harm holiday sales. Both Nieman Marcus and Target offered victims one year of free credit monitoring (Harris, Perloth, & Popper, 2014). The United States is one of the last countries to move forward with new EMV technology that would not have stopped the attacks, but that would have minimized the impact afterwards. The cost of adopting the technology was the main reason why retailers have not implemented the system (Harris, Perloth, & Popper, 2014).
When a customer provides the retailer with information that could potentially harm them if it falls into the wrong hands, they are extended trust to that retailers. The retailer has the responsibility to respond to that trust by taking every means possible to protect that client’s personal data from theft. This means a responsibility to use the latest technology available to keep the client’s data safe. To argue that software to help them fulfill that obligation is too expensive is a breach of trust on the part of the retailer. The retailer has an obligation to provide the best protection available, regardless of the cost. This recent shift in responsibility highlights the case that the responsibility and liability are at the hands of the retailer. In light of a lawsuit, many retailers may not see the extra expense in software to be so expensive in the long run. It highlights their responsibility to keep customer information safe.
The data stolen from retailers represents millions of dollars in trust and sales. The response that the latest in software to prevent attacks such as Black POS and similar software represents poor concern for the consumer’s welfare. If software is available that can detect such an attack, the retailer has an obligation to be proactive in putting in in place. If they have taken every measure possible and an attack still occurs, then they are slightly less responsible. However, to blatantly refuse the highest level of protection possible make the retailer as guilty in breaching customer trust as the criminals. Retailers are aware that the risk of cyberattacks is real and that there are solutions available that could help to protect their customer’s data.
Retailers have an obligation to protect their customer’s data and to take a proactive stance on protecting it. Although having the latest and best software available does not insure that a problem will not occur, it can significantly reduce the risk. The reaction of the retailers in keeping quiet about the attacks for as long as possible went further to destroy trust in the customer base.
Installing the latest software, even at an extreme cost, could do more for sales in the long run because customers will have the impression that the company has its interest at heart, even if it is at their own expense. Installing EMV software and letting the public know about it would help to restore trust in the retailers. As customer trust is restored, the big box retailers will experience increased sales. Taking a proactive approach to data safety can have long term benefits that far outweigh the initial costs.