Scared Off Target Shoppers Slash Q4 Profit Almost in Half

Posted on March 4th, 2014 by Dan Rampe

Target

As a result of the infamous breach where 40 million credit and debit card accounts were compromised and 70 million customers had their names, phone numbers, email and mailing addresses stolen, Target’s profit dropped 46 percent and revenue 5.3 percent.

According to an AP piece by Anne D’Innocenzio, Target says profits will be affected well into 2014. The Minneapolis-based retailer reported it earned $520 million, or 81 cents per share, for the three months ending Feb. 1. That compares with a profit of $961 million, or $1.47 per share, a year earlier. Revenue fell from $22.7 billion to $21.5 billion.

Target’s $44 million insurance policy helped somewhat ease the $61 million it’s had to shell out in breach expenses so far. Additional expenses could include payments to card networks to cover losses and expenses for reissuing cards, lawsuits, government investigations and enforcement proceedings. Oh, and Target is offering free credit monitoring services for a year to those who had their data compromised. Presumably that’s been paid for already, or will be, depending on how many customers take advantage of the offer.

The breach has caused Target to accelerate its $100 million plan to implement the use of chip-enabled technology by early 2015 in all 1,800 stores.

D’Innocenzio writes, “It isn’t clear when Target will fully recover from the breach, but Avivah Litan, a security analyst at Gartner Inc., puts the costs of the breach at between $400 million and $450 million.”

ThreatMetrix builds trust on the Internet by offering market-leading advanced fraud prevention and frictionless context-based security solutions. These solutions authenticate consumer and workforce access to mission critical applications using real-time identity and access analytics that leverage the world’s largest trusted identity network.

ThreatMetrix secures enterprise applications against account takeover, payment fraud, fraudulent account registrations, malware, and data breaches. Underpinning the solution is the ThreatMetrix™ Global Trust Intelligence Network, which analyzes over 500 million monthly transactions and protects more than 160 million active user accounts across 2,500 customers and 10,000 websites.

The ThreatMetrix solution is deployed across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government and insurance.

For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

 

Getting Personal. What the Target Breach Meant to One Lady Who Needed Cat Food.

Posted on February 10th, 2014 by Dan Rampe

Target

Forty million is a number that’s difficult to wrap your brain around. However, the story of one woman in the small California town of Martinez narrowly missing becoming a Target breach victim brings things home as possibly nothing else can.

Here’s the story as told on martinezgazette.com:

The breach of Target’s payment systems reached home last week as attempted fraud was reported by downtown resident Harriett Burt.

Burt said she received a call on the morning of Dec. 27 from a number her caller ID displayed as “private.”

“I nearly never answer those, but something made me go ahead and see what it was,” Burt said. “It also had, in the lower left corner (of the caller ID display) a bell with a line through it, and I’d never seen this before.”

The caller identified himself as being from an investigative division with Visa, and said the division showed a recent charge on Burt’s card of approximately $200, with the purchase being sent to Las Vegas. He asked if Burt lived in Las Vegas, and said he would investigate and call her back promptly.

But the call raised a red flag with Burt, who asked why the caller’s number was displayed as private on her caller ID. The caller said the division’s numbers often did not display because of the nature of their investigative work, and that he would proffer an 800 number when he called her back.

A few minutes later, the same caller rang back and gave Burt an 800 number. She instead decided to call her Visa company directly, and discovered the number the mysterious caller provided was not a number associated with Visa.

“These folks have thousands, millions of numbers, and they know in a situation like this all they really have to do is ID someone who’s been to Target,” Burt relayed from her conversation with Visa.

It’s likely Burt’s credit card number was one of 40 million hackers were able to retrieve using malicious software that infiltrated the store’s payment systems beginning Nov. 29. The only cards affected were those used for in-store purchases, which Burt says she made to buy cat food.

Hackers stole customer names, credit and debit card numbers, expiration dates, card security codes and PIN numbers, according to Target. Other customer information was not compromised, the company said, and Target is cooperating with federal authorities, including the Secret Service and Department of Justice, but is withholding additional details about the hack at the request of law enforcement.

In the meantime, anyone receiving calls from people purporting to be from credit card companies or other banking institutions is encouraged not to forfeit any information, but to hang up and call their credit and banking institutions directly. Target customers are also encouraged to check their statements carefully, especially for small purchases that may indicate fraudulent persons verifying if accounts are still active. Customers should request replacement cards, and even while new cards on the way, Target recommended PIN numbers be immediately changed.

Unfortunately for some who failed to act as intuitively as Burt, there have been instances of cash withdrawals and purchases made using PIN numbers – charges that can be difficult, and sometimes impossible, to reverse. Lawsuits are continuing to pile up over the Target hack as thousands of customers continue to be victimized by debit card fraud.

Burt said she was lucky in that she’d recently applied for a new card, and her credit line will be transferred to it. She’s since alerted Martinez Police of the call.

However, while away from home for a few hours after the initial fraudulent call, Burt said she received a muffled voicemail message from the same person who’d called that morning, again offering an 800 number. “So the fraud continues,” Burt said.

Fortunately for her, she used caution and acted correctly.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Just Because You’re Paranoid Doesn’t Mean They’re Not out to Get You. One Cyberreporter Refuses to Share Her Email Address with Retailers.

Posted on January 27th, 2014 by Dan Rampe

personal data

Maybe you’re overcome by politeness. Maybe people who stand behind counters represent childhood authority figures like teachers and principals and movie ushers. Maybe because it’s become routine. Whatever the reason, when a vendor asks for a phone number or email address to complete a transaction, there’s a tendency to comply without question.

However, there’s a big difference between the information merchants need for executing a transaction and the information merchants want for marketing. And, online or brick-and-mortar, personal information that’s compromised is costly to both customers and merchants.

One cybersecurity reporter hit the keys to tell how she deals with companies and clerks who want her email address. Nicole Perlroth writes on nytimes.com:

There is a temptation to think that major retailers like Target are more secure because they have more cash to spend on security. But the reality is that no company is entirely secure.

It’s hard out there for a paranoid cybersecurity reporter.

I’ve covered enough breaches, identity thefts, cybercrime and worse, to know it’s a terrible idea to hand over my personal data — even something as seemingly innocuous as my birthday or email address — to a store clerk, or a strange login page on the Internet.

But it’s getting hard to resist. I was in the middle of buying a swimsuit recently when the sweet lady behind the boutique counter asked me for my email address. I explained, as I have a hundred times before, that I’m a paranoid security reporter who makes it a general rule of thumb not to hand out information unnecessarily.

“We won’t spam you or anything,” she said, perplexed. “We just need it for our database.”

I knew then that the conversation was headed into a whole lot of awkward, as it had dozens of times before. The fact is, a boutique doesn’t need my email address so I can buy a swimsuit. The hotel I stayed in recently didn’t need my birth date, or my home address, or my driver’s license number, before I could check in. And Target doesn’t need to store your debit card PIN.

After news of Target’s breach first broke last month, a reader emailed complaining that after a recent purchase at a Target store in San Francisco, she was asked for her driver’s license after her credit card was authorized. “I gave it to her thinking she was only going to look at it, however she immediately scanned it through her register. I was a bit shocked and asked why she did that.

She said it is always done but ‘Don’t worry, it is secure.’”

That, we now know, is absurd.

There is a temptation to think that major retailers like Target– and now Neiman Marcus– are more secure because they have more cash to spend on security. It’s the same assumption users made thinking Snapchat was secure because it magically makes selfies disappear, or that LinkedIn knew how to protect data because it likes to talk up big data, or that Adobe could protect our passwords.

Actually, I take that back: Compromised Adobe PDF files have been used in far too many cyberattacks to mention here.

The point is that no company is secure. None of them. Not when they are up against an increasingly sophisticated, elusive enemy. But the problem is not just retailers, or technology companies or hackers, it’s us.

We regularly hand over data simply because we’re politely asked. We don’t read privacy policies, or ask companies whether our email addresses and passwords will be “salted” or “hashed,” encrypted with long or short keys, or whether those keys will be stored on separate systems from the ones they can unscramble. We don’t challenge major credit card companies to hurry up and adopt smart-chip credit cards. And we don’t stop doing business with companies that don’t take data protection seriously.

So we’ll all feign shock that the Target breach did not just affect 40 million people as it previously reported, but well over one-third of America’s adult population. And then, in a few days, we will likely go back to politely handing over our email addresses and birth dates.

But for now, the sweet lady at the boutique just has this: privacyreporter@stopaskingme.com.

Note: We went to www.stopaskingme.com and found just this on the website:

It seems like today people want so much information from you. You have to spend 1-2 minutes on the phone, after you get to talk to a human, before you can ever get down to business. They need name, account number, (again) last for of something or other and on and on.

There is a fine balance between good customer service and down right annoyance. Anyways, I love the look on these peoples faces when I give them my email address of some name@stopaskingme.com. I can not tell you how many tech support people have bust out in laughter when I give them this email. Kind of lightens the whole mood and even has a calming effect when talking to some of the less, shall we say, less than helpful customer service reps.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

Target Toll Rises to 110 Million Customers Compromised Painting a Telling Story of Most Corporate Security

Posted on January 23rd, 2014 by Dan Rampe

target

When the San Jose Mercury News asked Andreas Baumhof, ThreatMetrix’s Chief Technology Officer, about security at most corporations, he pulled no punches responding in no uncertain terms, “the state of corporate security is a joke.”

 

 

Security expert Philip Lieberman concurs with Baumhof, “They don’t care. They’ve made a calculated decision that it’s cheaper to take this hit than to implement the systems to fix it. I’ve had this conversation with CEOs of many large retailers.”

In a survey last November, the Ponemon Institute, which is dedicated to advancing responsible information and privacy management practices in business and government, found that of the more than 2,000 officials in charge of security at U.S. and other organizations, one-third couldn’t say for sure if they’d been targeted by a cyberattack in the previous 12 months.

According to Steve Johnson’s article in the San Jose Mercury News, the stolen information is “already…being peddled online along with the card data.”

So how did we get to 110 million customers compromised from the original 40 million? First reports were that thieves stole credit and debit card information from 40 million customers. It was only much later that Target said the names, phone numbers and home and email addresses of a separate group of 70 million people were taken. There could be some overlap in the two groups. But, however you slice it, this breach is big enough to have caused the initiation of class action suits and investigations by several states’ attorneys general.

Johnson writes, “Target’s disclosures have been especially troubling because they keep getting worse. Besides underestimating how many customers were affected, the company initially said it had no evidence the crooks stole debit card PIN numbers, potentially enabling them to steal the customers’ money from ATM machines. But …later, it said “strongly encrypted PIN data was removed.”

“Although Target said its customers ‘will have zero liability for the cost of any fraudulent charges arising from the breach,’ security experts warned that Friday’s disclosure about the additional stolen information makes it more likely crooks will try to defraud those customers.

“They especially may go after Target customers who order new credit or debit cards because of the breach, Lieberman said. He expects crooks — using the stolen names and email addresses — to send the customers emails posing as their card-issuing companies and asking for other information that could be used to make fraudulent purchases with the card numbers.”

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.