The massive security breach that hit Target over the
holidays may be only the beginning for the retail industry.
to hack into retailers' computer networks and steal credit card data
and other customer information are likely to surge this year, cyber
security experts say in the wake of the attacks on Target and luxury
department store chain Neiman Marcus.
Target reported Friday that
cyber thieves compromised the credit card data and personal information
of as many as 110 million customers. That includes phone numbers, e-mail
and home addresses, credit and debit card numbers, PINs, expiration
For the hackers involved, this breach could generate
billions of dollars in illicit profits, according to David Kennedy,
founder of TrustedSec, a cyber security consulting firm that works with
some of the largest retailers.
The going rate for stolen data is
about $80 per card, so if 70 million accounts were compromised, that
would produce a $5.6 billion payday for hackers, he estimated. The
promise of such a return, from a hack that probably took six months to a
year to organize, is likely to attract more hackers, Kennedy says.
will be a wave of attacks on the retail industry throughout the year,"
Kennedy says. "The Target hack exposed how vulnerable the industry is."
STORY: Convenient shopping can come at a price: Your identity
Stores, the world's largest retailer, said Monday that it was not hit
by any security breaches like the one Target suffered. Sears also said
that its customer data was not compromised, as did Home Depot and Toys R
However, Kennedy and other security experts expect more
disclosures from other retailers saying they've been hit by similar
BitSight, a tech firm that rates companies on security
breaches, examined Fortune 200 retailers, such as Target, Wal-Mart and
CVS, and found an increase in cyber attacks in the fourth quarter of
"We observed more malicious activity on these networks in
the second half of 2013," BitSight said Monday on its blog. "The
majority of companies were quick to respond, but a few had botnets
lingering for several days at a time."
BitSight gathers and
analyzes data from sensors deployed around the globe looking for
malicious activity, such as communication with a botnet -- a network of
computers that have been taken over -- or malware distributor. It has no
access to internal company network data.
SecurityRatings range from 250 to 900; a higher rating indicates better
security performance. If ratings go down, as they did in the retail
industry last year, it shows that company defenses are not as strong as
they should be, the firm says.
"It's really hard for these large
organizations to protect themselves from all these threats," BitSight
co-founder Stephen Boyer told USA TODAY. "A lot of these attackers are
well-funded and well-motivated -- and the payoffs are potentially high."
increase their security, it's not just about investing in new
technology, it's also about hiring security personnel at the executive
level - such as a chief risk officer or chief privacy officer -- and
training all employees in the best security practices, Boyer says.
"The defender really has to lock every window and door," he says. "But the bad guy just has to find one open window."
U.S. retail industry is likely to be a major hacking target for at
least a year because new credit card security technology, known as EMV
or chip and PIN, has yet to be fully implemented.
EMV, already in
place in Europe, uses an encrypted chip that is embedded in a card and
requires a personal identification number to access the data it stores
to complete a payment. In the United States, the less-secure magnetic
strip on cards is still used.
Industry experts say 90% to 95% of
credit cards in the U.S. will have the chips within two years, but 1% to
5% of U.S. cards use the technology now.
"The U.S. is being
targeted heavily now because we don't have the card security," says
Chris Gates, a partner at LARES, a cyber security consulting firm that
works with financial services companies, retailers and manufacturers.
and more retailers will be breached until we get firmly into the EMV
chip and PIN technology," he added. "Hackers will go where the
information they need is easiest to get."
In recent years, the
financial-services industry has been hit by a series of hacks, but Gates
sees the focus shifting to retail this year.
"When you look at
the financial sector, its performance as a group is higher than retail,"
said BitSight's Boyer. "They have more assets at risk than the retail
sector, but they are doing a better job at protecting those assets."