It’s Thanksgiving, which means family time, good food, awkward conversations, record spending — and the anniversary of Target’s massive data breach, which leaked 110 million customers personal information from emails to credit card numbers.
Over the past year, Target and other retailers have worked hard to repair their images. But since last holiday season, the industry is not much better prepared to stop another attack.
Breaches at Target and Neiman Marcus, which exposed over 1 million customers’ credit cards last year, kicked off a year of breaches at major retailers. Chief among them was Home Depot, which suffered a breach that exposed nearly 60 million debit and credit cards, 53 million email addresses, triggering an onslaught of fraudulent transactions, and 44 breach-related lawsuits in the U.S. and Canada.
Since Target’s breach last year, retailers have scrambled to enhance customer data protections. Banks and credit card companies have already begun sending customers new, chip-enabled cards that produce a new card number with every swipe. That makes card numbers harder to duplicate. Target started rolling out chip-enabled, or Europay, Mastercard and Visa (EMV) store cards earlier this year.
Finance companies have balked at transitioning to EMV cards that are already standard in Europe, claiming doing so would be too expensive. But financiers such as American Express and Bank of America have begun issuing EMV cards.
But those efforts could be in vain as most stores and restaurants don’t have the technology to accept the new cards. Even retailers that had devastating data breaches recently, including Target, aren’t prepared to take the new cards until at least next year.
Retailers have instead tightened security in other ways. For example, big-name stores including Safeway, Walgreens, and Nike formed an alliance with the Department of Homeland Security, Federal Bureau of Investigation, the Secret Service to share real-time threat information through a central intelligence-gathering system.
The alliance, however, is in its infancy. And while it could give retailers an edge down the line, it doesn’t substitute the need for stronger regulations now that hold companies accountable for customer data compromised through cyberattacks.
There’s been little movement to implement policies that mandate businesses better protect their data. In a White House report, the Obama Administration recommended stronger privacy laws, including a federal law that would require companies to promptly disclose breaches.
As it is now, companies don’t have a set of rules to follow when they lose customers’ personal information. It’s almost completely self-regulated by companies, configured with a patchwork of state laws defining what’s considered a breach. That self-governing system ends up costing billions of dollars a year, largely because companies have to spend money notifying customers, reissuing credit cards, offering identity theft protection to customers and updating security systems.
With the holiday season still ahead, 2014 is shaping up similarly to last year accumulating an alarming number of privacy and security breaches. Over a dozen major retailers including AT&T;, Verizon, Ebay, sandwich chain Jimmy John’s and Goodwill have already reported breaches this year.
In 2013, one in seven people were notified their information was exposed in a breach. There were 167 breaches reported in California last year and New York had a record-breaking 900.
Government agencies, tech and social media companies were also cyberattack victims this year. SnapChat user data was breached twice this year, in January and again months later in October. In the latest, hackers reportedly stole some 100,000 photos, many of minors, that could have potentially been released online. Hackers shut down Sony Pictures’ computer network, forcing the company to send employees home.
The ramifications of the Heartbleed bug, which exposed more than two-thirds of the Internet’s websites and went undetected for years, are yet to be fully felt. Meanwhile, millions of usernames, passwords, Social Security Numbers and financial account information were vulnerable to hackers and allegedly the U.S. National Security Agency. The U.S. Weather System, Postal Service, and The White House were all hit by hackers this year.
Shoppers spend an average of $770 per person during the holiday season, about half of which occurs on Black Friday or Cyber Monday. That number is expected to increase 4 percent this year because of economic growth, putting customers at an even greater risk.
Retailers have certainly taken initiative to not repeat Target’s mistakes last year, but many of the precautions fall short with the Black Friday just days away.