Anyone who hasn’t been hibernating since Thanksgiving already knows that critical information from 40 million credit and debit cards used in Target stores from November 27 to December 15 was exfiltrated from their computer systems.
The stolen information includes customer names, credit or debit card numbers, expiration dates, and card security codes. Additionally, debit card PINs (the digits that you enter on the keypad when you use a debit card) were also lifted, but Target says that the PINs were encrypted and the encryption key was stored at a different company.
This story begs a number of questions both from an organizational point of view as well as a consumer point of view. First off, Target said it began investigating the incident as soon as they learned of it through a leading third-party forensics firm. Now how could Target not know that its own systems were hacked?
You might be surprised to find out that every year, the FBI or other security organizations notify hundreds of companies when they learned there was an intrusion into the companies’ networks. Often, these companies didn’t even know they were under attack until there was a knock on their door. And while still other companies may have known there was something wrong, they didn’t know what to do about it or who to call.
As CEO, you can’t pass the buck to your IT department and say, “You handle this…I can’t be bothered.” A serious hack can materially affect the status and future of your company. And in fact, plaintiffs in California are working to bring a class action lawsuit while local media reported that another lawsuit was filed in a Rhode Island federal court.
Clueless politicians are also sticking their noses under the tent. US Senator Chuck Schumer called on the Consumer Financial Protection Bureau to report on whether retailers should be required to encrypt customer card data. (Note to Chuck – retailers already are required to encrypt customer card data. See the PCI security standard.)
Whether the hacked cards get used or not, this is a PR nightmare for Target and could very well lead to lower sales as customers seek safer harbors for their shopping trips. But unfortunately there are no safe harbors in today’s world. You see, hackers have infinite time to find a single hole to let them in while the targets of their evil deeds have to try to defend thousands of known and unknown attack vectors.
So what can you do to protect yourself?
- If your credit card company offers it, use a smartphone app that notifies you every time your card is used.
- Regularly check your paper or online statement. Sometimes hackers ping an account for only few cents to verify they have an active account.
- If anything looks amiss, don’t be afraid to contact your credit card company to let them know.
My mom is absolutely convinced that she will be safer if she doesn’t use her credit card online and shreds anything with her name and address on it. But as we saw this month, you can still be at risk even if your credit card never leaves your hand. This hack didn’t even touch Target.com shoppers.
As a CEO, what can you do to keep off of the front page for the wrong reasons? Read more about this on my Forbes.com blog post.
Next week I’ll go deeper into the forms of encryption that can be used to protect data at rest, data in motion, and data in use. You might be surprised to find out that the most common encryption method in use today to protect data at rest doesn’t actually protect anything as long as your systems are up and running.