Recent breaches not the last

Local customers feel effects of data heists at Target, Neiman Marcus
Melissa Topey
Jan 25, 2014
It happened before, it’s happening now, and it will happen again.

National retailers are only beginning to understand the full scope of the damage after massive data breaches put consumer credit and debit card information into the hands of criminals.

Forensic investigators are still unraveling the recently discovered breach of Neiman Marcus customer data. From July 16 to Oct. 30, a malicious software program scraped payment data relating to 1.1 million credit or debit accounts, according to the company. About 2,400 of those cards were later used to make fraudulent purchases.

Still, the Neiman Marcus breach pales in comparison to an incident involving Target data, where in mid-December criminals forced their way into the company’s system and gained access to consumer credit and debit card information — names, mailing addresses, email addresses and phone numbers.

The thieves stole data belonging to up to 110 million people.

Protect yourself after data intrusion
Ohio Attorney General Mike DeWine’s recommendations:
• Check credit card and debit card accounts regularly to monitor for suspicious activity.
• Change your PIN and passwords on affected accounts.
• Watch # for possible phishing scams designed to get personal and financial information. When a security breach is announced, scam artists create phone messages or websites to take advantage of consumers.
• Place an initial fraud alert on your credit report by contacting one of three reporting agencies: Experian, Equifax or TransUnion.
• Check your credit report at annualcreditreport.  com. You are entitled to one free report each year from each of the agencies.

Online
• For detailed information on the Target breach, go to corporate.target.com 
• For information on the Neiman Marcus breach, go to neimanmarcus.com and click on the banner relating to the data intrusion.

 

American consumers, retailers and banks can be sure of this much: The breaches will certainly not be the last of their kind.

“Breaches will continue to occur,” said Doug Johnson, vice president of risk management policy at the American Bankers Association.

Katherine Foeitz, of Sandusky, can relate to the frustration of the millions of people whose financial and personal information was compromised in the Target breach.

Foeitz went to the Target on Milan Road every morning to purchase a coffee from the Starbucks inside the store.

“I didn’t even use Target,” she said. “It’s so frustrating”

When the data intrusions came to light, Foeitz’s credit card was cancelled, leaving her without a card for about a week.

“It’s 2014,” she said. “I don’t use cash. I also had automatic pay and had to call and change it”

Her card was not used for any fraudulent purchases, although she’s still keeping a watchful eye on her account.

It’s unknown if the Target breach occurred inside or outside the company, as the investigation is still ongoing. Worth noting: Russian language was found in the code of the malicious program used to steal the data, Johnson said.

Because criminals change their tactics all the time, the approach used in the Target and Neiman Marcus intrusions isn’t likely to be used again.

Bank security officials must anticipate where the new attacks will occur, and work to protect shoppers. At the end of the day, they are bank customers, Johnson said.

One possible way to protect customer data is through “chip and PIN” technology, he said. A chip and PIN card looks the same as a credit card, but it’s embedded with a special chip that requires a PIN to make purchases. The technology is harder to clone, reducing the likelihood of fraud, Johnson said.

One problem with the technology is it could force criminals even more toward Internet fraud, where a physical card isn’t needed to make purchases.

“Then it’s up to us to further protect online activity” Johnson said.

Banks use various processes to improve security, such as unique identifiers and notification of transactions that require customer approval.

Given that the majority of data intrusions happen outside of the banking system, Johnson said he’d like to see more partnerships between banks and retailers. This could be a huge step forward in preventing retailers’ corporate networks from being compromised, he said.