Personal note: When I initially laid out this blog, I planned on stepping through recent revelations in the Dairy Queen breach. However, since my initial outline, Kmart was also breached. These breaches are happening at such a frequent pace, I can’t help but feel the larger story is about security flaws within the retail space. So instead of delivering yet another Dairy Queen article among the masses, I’d instead like to look at security flaws within the retail space as a whole and how in 2015 perhaps we can put ‘the year of the data breach’ to rest.
When news first breaks of a data breach, it’s easy to think ‘well I don’t shop at xyz store, so I’m not effected.’ But as the number of breaches continues to increase, not many individuals can claim they don’t shop at Supervalu, Target, P.F. Chang’s, Home Depot, Neiman Marcus or Michaels…just to name a few.
Dairy Queen gets Data Breached
Earlier this month, Dairy Queen reported its software systems were compromised at about 400 U.S. Dairy Queen shops, making it the latest retailer to confirm a data breach. According to the company, the systems were affected from early August through early October by the Backoff malware, providing attackers with access to an undisclosed number of customer names, payment card numbers and expiration dates. Well, no offense to Dairy Queen, but this isn’t new. In fact, I recently laid out in previous blogs security ramifications in retail:
- Can Retail Learn Lessons in Cybersecurity by Looking to Logistics?
- Trend #2 – Retail Data Breaches … and then there was Supervalu
- Riding This Year’s Data Breach Roller Coaster
It’s a Kmart kind of problem
In the case of Kmart, the company reported on Friday it had been breached and was working with law enforcement. The U.S. Secret Service confirmed it is investigating the breach, which occurred in September and compromised the systems of Kmart, which has about 1,200 stores across the United States. Kmart said it believes hackers made off with some credit and debit card numbers but that the personal information, debit card PIN numbers, email addresses and social security numbers of its customers remained safe.
It’s always funny until somebody gets hurt
These stories sound the same but there is a bigger problem here and it isn’t about Dairy Queen or Kmart. Because many big merchants don’t have adequate systems for detecting cyberattacks, retailers remain an easy prey for hackers.
Security systems need to be changed, and with recent attacks, retailers are finally realizing they need systems in place that can quickly detect security vulnerabilities before hackers begin to steal data and these breaches get out hand.
Verizon's annual Data Breach Investigations Report (DBIR) from May of 2013 found that 24 percent of the confirmed data breaches in 2012 affected the retail and restaurant sector—second only to the financial sector. In all, there were 156 confirmed data breaches in the retail and food services industries.
Talking about Legislation as a solution?
In September, California passed legislation requiring that a person or business conducting business in California that owns or licenses computerized data that includes personal information is required to disclose a breach following discovery or notification of the security breach to any California resident. Existing law also requires a person or business that maintains computerized data that includes personal information to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery.
Additionally, PCI DSS (Payment Card Industry Data Security Standard) was developed with the intent of reducing the risk of handling cardholder data by creating compliant Cardholder Data Environments (CDE). Security professionals, service providers, application developers, hardware manufacturers and converged infrastructure vendors worked across a number of security domains to address the data security needs of merchants. Payment Card Industry Data Security Standards (PCI DSS) mandate that all organizations that accept, acquire, transmit, process, and/or store cardholder data must take appropriate steps to continuously safeguard all sensitive customer information.
While implementing legislation is a start and deserves noting, it is not the answer.
A study conducted by Ponemon Institute shows IT pros believe using cloud services increase the risk of data breaches that -- with an estimated cost of about $201 per compromised record -- can easily cost victimized companies millions of dollars. So while laws are a great start to reducing these data breaches, compliance alone will not help companies keep up with hackers.
The Real Solution
Companies and individuals alike are realizing that more comprehensive end-to-end implementations of encryption could protect from these kinds of widespread breaches. This needs to include:
- Data-at-rest – On servers and interim transmission points where large sets of sensitive information accumulate (Target lost 70 million records here)
- Data-in-motion - When transmitted between systems
- And even data-in-memory at POS systems where some portion of all of these retail breaches occurred.
Retailers need to realize that their data is among their most valuable assets and needs to be protected. While 2014 might go down in history as the year of the data breach, it’s time to put this to bed.
Protecting the enterprise’s valuable digital assets from accidental or intentional misuse should be the most important goal for every IT team. Many organizations have deployed a variety of endpoint encryption solutions as a primary method of protecting data and to meet various compliance requirements. Unfortunately, the majority of these disparate encryption solutions have fallen short in their ability to address the enterprise’s key management challenges.
Close that door, please
While the Internet has enabled access to organizations’ network and data, it has also opened doors to misuse by hackers. As is evident in previous retail breaches, these attacks have had dire consequences for companies, resulting in substantial loss of revenue, massive fines and degraded customer trust.
Remember, data is only as secure as the system that manages the encryption keys protecting the data. A centralized enterprise key management solution is critical to ensuring all sensitive data is secure and available.