Eric Holder urges new laws for data breaches after Target attack (+video)
In the wake of data breaches at Target and Neiman Marcus, Attorney General Eric Holder called on Congress Monday to enact legislation requiring retailers to be more transparent about consumer data hacks. What other changes are being made to tighten up security on shopper data?
The story is now well known: In the thick of this past holiday shopping season, data thieves hacked into retailer Target's computer system and stole sensitive financial information, including the credit-card numbers, personal identification numbers, and e-mail addresses of as many as 110 million customers.Skip to next paragraph
Subscribe Today to the Monitor
Soon after, luxury department store chain Neiman Marcus revealed it had suffered a similar breach, affecting as many as 350,000 shoppers, and rumors are swirling that more retailers may soon reveal they have been the victim of cyberattacks, too. The issue has become such a big concern that Washington is getting involved. In a video address Monday, Attorney General Eric Holder urged Congress to introduce legislation to create "a strong national standard" requiring retailers to quickly alert consumers and law enforcement when shopper data is compromised.
RECOMMENDED: Are you a smart shopper? Take our quiz.
The new laws should “enable law enforcement to better investigate these crimes – and hold compromised entities accountable when they fail to keep sensitive information safe,” Holder said in his weekly address.
The rash of security breaches is a problem with the potential to get much worse, experts say. Mathematically, chances are you've already been a victim of identity theft, even if you've never shopped at Target or Neiman Marcus. "Seven-hundred million pieces of electronic personal data have been stolen over the last 36 months, which means everyone in the United States has had some part of their identity stolen," says Haywood Talcove, chief executive officer for LexisNexis Government, a subsidiary of the national database company based in Washington, D.C. "The question is whether or not it's been used."
How bad is it?
The Target and Neiman Marcus breaches are just the latest (and largest) examples of a type of crime that has exploded into a full-scale industry. Credit-card data theft surged 50 percent between 2005 and 2010 (the latest years for which figures are available, according to the US Justice Department). Millions of credit-card numbers are on sale at any given time on black market websites, and hackers have realized that they can maximize profits by breaking into systems of major companies, such as Target, and stealing millions of pieces of data in one fell swoop. Visa and MasterCard had similar breaches in 2012.
Pulling off these crimes is cheap: The malware used to break into Target's system was recently traced back to a high-school-age Russian programmer, who sold it for $2,000. Aside from the obvious financial impact on customers, retailers, and financial firms, the effects of such crimes can reach into the government sector.
"There's a big opportunity for tax ID fraud," says Mr. Talcove. His department at LexisNexis holds contracts with state governments in Georgia, Louisiana, and Indiana to use big data and analytics to identify sketchy tax returns. Fraudsters use personal information gained from data breaches to file fake tax returns in different states to collect refunds, he says, and it's harder to spot than credit-card fraud because "it never shows up on a credit report."
New laws, safer chip technology
The Target debacle, and others like it, could urge US retailers to invest in more consumer data protection. Part of the solution cited by many experts is for merchants and banks to phase out magnetic-stripe credit cards and convert to computer chip-based card technology (also known as EMV), already in wide use in Europe and other parts of the world. "When you use a mag-stripe card, you swipe it, and data is read by a reader, and it's the same every time the card is swiped," says Martin Ferenczi, North American president of Oberthur Technologies, a global digital security firm. "EMV allows it to be dynamic, so every transaction has a different set of data. If the same set of data is reused, the chip recognizes that and stops the transaction."
Chip-enabled cards have helped reduce fraud in Britain and Canada. Mr. Ferenczi argues that the US remains particularly vulnerable to hacks because of its delay in adopting the technology.
"EMV is not completely foolproof," warns Cynthia James, an author on cybersecurity and the director of business development at Kaspersky Lab, an anti-malware company based in Russia, via e-mail. "Those cards can be duped, too, it just costs so much that it's prohibitive [to the criminals]."
The high-profile nature of the Target and Neiman Marcus breaches may speed along the conversion process. Visa and MasterCard recently pledged to completely convert to an EMV system in the US by 2015, and Target is investing $100 million to adopt the technology.
On the legislative end, 46 states already have data breach notification laws in place, but there is no national standard for letting consumers know about security breaches. Several data security proposals are being batted around the House and the Senate, including one co-sponsored by Al Franken (D-Minn.) and Amy Klochubar (D-Minn.) that would mean harsher criminal charges for data thieves and require businesses to adhere to data safeguards laid out by the Federal Trade Commission (FTC).
In the meantime, experts like Ms. James and Talcove advise consumers to be extra vigilant. "Sign up for credit monitoring, cancel any cards that are suspect, and check statements every month for all cards," James says. "It will also be easier if you reduce the number of cards you have."
"File your tax return early, so fraudsters don't beat you to it," Talcove adds.
RECOMMENDED: Are you a smart shopper? Take our quiz.
[CORRECTION: An earlier version of this article misstated the number of Neiman Marcus shoppers potentially affected by that retailer's data breach. That number was 350,000, not 40 million.]