A group of the nation’s top retailers are banding together with federal law enforcement agencies in hopes of preventing cybercrimes like the one that caused Target’s massive data breach earlier this year.
Hundreds of big-name stores including Safeway, Walgreens, and Nike teamed up to form the Retail Cyber Intelligence Sharing Center — an alliance that will share real-time threat information through a central intelligence-gathering system with the Department of Homeland Security, Federal Bureau of Investigation, the Secret Service, and companies’ investors.
“We have seen a sharp increase in the number of malicious actors attempting to access personal information or compromise the systems we all rely on, in the retail industry and elsewhere,” Phyllis Schneck, deputy Secretary for cybersecurity and communications for the U.S. Department of Homeland Security, said in a news release.
Close to a billion personal records — email addresses, passwords, credit card and debit card numbers — were leaked in data breaches last year. Most of the breaches in 2012 were “low level” threats that could have been prevented, according to a Verizon study. The coalition’s primary goal is to get in front of potential threats before they balloon into data theft catastrophes, such as last year’s Target breach, through education, training and intel trading. Target, which also joined the alliance, suffered one of the most widespread breaches in history during the 2013 holiday shopping season, exposing more than 100 million customers’ credit card, phone numbers and other personal information. It was later revealed that upscale retailer Neiman Marcus had a similar breach believed to hit over a million customers.
But the new venture, while a step in the right direction, may not be enough to prevent the fallout from large-scale breaches. The RCISC’s approach focuses on tracking new strains of malware and software vulnerabilities, and could help retailers warn one another about possible cyberthreats. Having a centralized system will make it easier to spot warning signs, but it won’t address a major issue when it comes to data breaches — the clean-up.
Preventing the next Target-scale breach must include stronger policies and updated technology. As it is now, companies don’t have a set of rules to follow when they lose customers’ personal information. It’s almost completely self-regulated by companies, compounded by a patchwork of state laws defining what’s considered a breach. That self-governing system ends up costing billions of dollars a year — about $5.4 million per incident — largely because companies have to spend money notifying customers, reissuing credit cards, offering identity theft protection to customers and updating security systems.
The lack of minimal standards has also affected how often retailers and other companies replace their security and financial technology. U.S. finance institutions and retailers have been reluctant to update technology despite knowing the security risks. The Target and Neiman Marcus breaches, for example, happened in part because of outdated credit card technology. American cards use an easily duplicated magnetic strip to transfer financial data between the stores and banks once swiped. Cards overseas, on the other hand, are harder to copy because they have an embedded computer chip that creates a unique PIN with each use. But American banks and retailers don’t want to spend the money for more secure technology if no one is requiring it.
The same rings true for software updates. Despite advance warning that Microsoft was phasing out Windows XP this year, retailers and banks procrastinated in updating their software, exposing them to cyberattacks.
As these breaches continue to become more frequent and more severe, retailers must invest in better protections. While no amount of security protection will prevent all future attacks, initiatives like the RCISC are best served when backed by stronger policies.