It’s shaping up to be a nightmarish holiday shopping season for US retailers. First, Target fell victim to a data breach that compromised between 70 million and 110 million shoppers’ financial information (including credit card numbers, PIN numbers, and e-mail and mailing addresses). Last week, high-end department store Neiman Marcus disclosed its own cyberattack, which put the information of up to 40 million shoppers at risk.
More may be on the way. Reuters reported Sunday that at least three other well-known US retailers faced data breaches during the holidays, citing information from unnamed sources.
“The sources said that they involved retailers with outlets in malls, but declined to elaborate. They also said that while they suspect the perpetrators may be the same as those who launched the Target attack, they cannot be sure because they are still trying to find the culprits behind all of the security breaches,” the Reuters report reads. “Law enforcement sources have said they suspect the ring leaders are from Eastern Europe, which is where most big cybercrime cases have been hatched over the past decade.”
The report didn’t say whether the Neiman Marcus breach was related to the others.
The Target cyber break-in affected customers who shopped in-store and online between Nov. 27 and Dec. 15, in the thick of the holiday season. Though Target initially said about 40 million shoppers were affected, the retailer revealed last week that the hackers stole between 70 million and 110 million shoppers’ credit card numbers, PIN numbers, e-mail and mailing addresses, and phone numbers. Target also came under fire for waiting four days to disclose the breach publicly.
Target chairman and CEO Gregg Steinhafel defended that decision in an interview on CNBC Monday, saying that the company "wanted to make sure our stores and our calls centers could be as prepared as possible," and that employees "worked around the clock to try and do the right thing.” He reiterated that because the matter is still under federal investigation, Target “can only share so much.”
Neiman Marcus’s investigation is also ongoing. "We informed federal law enforcement agencies and are working actively with the US Secret Service; the payment brands; our merchant processor; a leading investigations, intelligence, and risk management firm; and a leading forensics firm to investigate the situation," the company’s official statement reads.
Both Target and Neiman Marcus pointed to malware that was installed on “point of sale” registers as the problem, which Reuters also cited in the report of other targeted stores. Visa warned of similar attempted attacks on its system early last year, but the latest rounds are much more sophisticated, according to TechCrunch.
The good news? Such attacks are less damaging to consumers than they are to retailers. Yes, there’s the hassle of canceling credit cards, changing e-mail passwords, and extra-careful monitoring of bank statements. But credit card companies will pay for any fraudulent charges, and then recover the money by charging the retailer. That means Target stands to take a big hit: as much as $50 million, according to CNN Money. The retailer also announced last week it would offer free credit monitoring and identity-theft protection for worried customers.
The biggest risk, experts say, is that potential scammers could have customers’ contact information and the knowledge that they shop at Target. But that on its own isn’t enough for identity theft. "It's bad they got a customer list, but the worst case scenario is a very targeted email phishing campaign," said Adrian Sanabria, a security analyst, told CNN Money. "I don't see any risk of identity theft from having that exposed."