The Target Corp. data breach that exposed 40 million shoppers' debit and credit card account information has caused lawsuits, state and federal investigations and potential company reputation damage, while raising fresh concerns among other businesses about the worsening risk of cyber attacks.
The data breach is being called the second-largest in U.S. retail history, behind a 2007 breach at TJX Cos. Inc. in which cyber criminals collected personal information from more than 90 million credit cards over more than a year.
Target first acknowledged its breach on Dec. 19, and revealed on Dec. 27 that its forensic investigation had found that the information hackers collected from Nov. 27 to Dec. 15 included card users' encrypted PIN data embedded in their cards. The breach occurred during the annual Christmas shopping season, the busiest retailing period of the year.
While the Minneapolis-based retailer released few specifics about the nature of the data breach, many experts say it appears to have involved malicious software that collected shoppers' data as they swiped cards at checkout keypads to pay for purchases in Target stores.
“If that's the case, this is a very sophisticated kind of attack,” said Jon Neiditz, a partner at law firm Kilpatrick Townsend & Stockton L.L.P. in Atlanta, whose practice focuses on big data, privacy and information security. “The big risk management issue to me for all of the retail companies I work with and hospitality companies and others that have point-of-sale systems is: was this very sophisticated malware that involved point-of-sale systems and what lessons are there for other point-of-sale systems.”
Jerry Irvine, Chicago-based chief information officer at information technology adviser Prescient Solutions, said: “We don't know for sure what happened. Target has not put out any detailed information on the attack, but they said it was a very complex type of breach.
“It was likely a long-term persistent event, where a low-level device is compromised and gradually accumulates information and eventually enables the hackers to gain access to control rights over more critical systems,” Mr. Irvine said.
“Hackers are no longer looking for instant gratification. Today, they are all financially motivated and willing to lurk in the background, until they get that golden tidbit of information that gives them root-level access or a backdoor information protocol,” Mr. Irvine said.
Even companies that follow strict data security protocols, such as the Payment Card Industry Data Security Standard, remain vulnerable, he said.
“Target and the other large organizations that have been breached recently have all been PCI-DSS certified,” Mr. Irvine said. “They are all following (retail) industry best practices and adhering to regulatory and compliance requirements, but the problem is that you cannot secure everything 100%.”
Scott N. Godes, a partner with law firm Barnes & Thornburg L.L.P. in Washington who represents clients in data breach litigation, agreed being certified PCI-compliant “is not a guarantee against a data breach.”
The Target data breach is “definitely a circumstance that can incentivize companies to step back and look at what they're doing in terms of risk management, what they're doing in terms of insurance, what they're doing in terms of security” and whether they have a cyber breach response plan in place, Mr. Godes said. “I think we're in a day when there's a broader recognition that no company is impenetrable and no company can guarantee themselves free from cyber attacks or hacking.”
Jim Whetstone, professions practice leader at Hiscox USA in Chicago, said the Target cyber event supports a growing number of companies' decisions to buy insurance as part of their cyber risk management efforts.
“More and more companies are buying the coverage and it wouldn't surprise me that a company like Target felt they had an exposure that they needed insurance for,” Mr. Whetstone said.
“For me it just points out that there is no silver bullet,” he said. “I'm sure (Target) invested a lot and felt they were protected.”
Target did not respond to a request from Business Insurance for information about its insurance coverage for losses stemming from the data breach.
Aon P.L.C., Target's broker, also declined a request for comment.
Mr. Whetstone said the Target data breach does raise concerns for other retailers about point-of-sale system vulnerabilities.
But, he said, the differing ways companies configure various information technology components reduce the risk of hackers being able to widely apply the approach apparently used against Target in a broad attack on companies' point-of-sale payment systems.
“One of the things that mitigates that exposure is that companies have multiple layers of technology,” Mr. Whetstone said, with the uniqueness of the technology mitigating the potential of a widespread, catastrophic data breach.
Meanwhile, according to news reports, about 40 lawsuits seeking class action status in connection with the data breach had been filed against Target by consumers as of last Friday. The nation's third-largest retailer also facing probes from state attorneys general related to consumer protection and privacy laws.
In a statement on its website, Target said it hosted a conference call Dec. 23 with state attorneys general to discuss the data breach and that a “majority of state offices were in attendance on the call.” The company said it will hold a follow-up call with state officials this week.
Target also said it was partnering with the Secret Service and the U.S. Department of Justice on forensic and criminal investigations into the data breach.
“We want to be clear that neither entity is investigating Target,” according to the retailer's statement on its website.