When the San Jose Mercury News asked Andreas Baumhof, ThreatMetrix’s Chief Technology Officer, about security at most corporations, he pulled no punches responding in no uncertain terms, “the state of corporate security is a joke.”
Security expert Philip Lieberman concurs with Baumhof, “They don’t care. They’ve made a calculated decision that it’s cheaper to take this hit than to implement the systems to fix it. I’ve had this conversation with CEOs of many large retailers.”
In a survey last November, the Ponemon Institute, which is dedicated to advancing responsible information and privacy management practices in business and government, found that of the more than 2,000 officials in charge of security at U.S. and other organizations, one-third couldn’t say for sure if they’d been targeted by a cyberattack in the previous 12 months.
According to Steve Johnson’s article in the San Jose Mercury News, the stolen information is “already…being peddled online along with the card data.”
So how did we get to 110 million customers compromised from the original 40 million? First reports were that thieves stole credit and debit card information from 40 million customers. It was only much later that Target said the names, phone numbers and home and email addresses of a separate group of 70 million people were taken. There could be some overlap in the two groups. But, however you slice it, this breach is big enough to have caused the initiation of class action suits and investigations by several states’ attorneys general.
Johnson writes, “Target’s disclosures have been especially troubling because they keep getting worse. Besides underestimating how many customers were affected, the company initially said it had no evidence the crooks stole debit card PIN numbers, potentially enabling them to steal the customers’ money from ATM machines. But …later, it said “strongly encrypted PIN data was removed.”
“Although Target said its customers ‘will have zero liability for the cost of any fraudulent charges arising from the breach,’ security experts warned that Friday’s disclosure about the additional stolen information makes it more likely crooks will try to defraud those customers.
“They especially may go after Target customers who order new credit or debit cards because of the breach, Lieberman said. He expects crooks — using the stolen names and email addresses — to send the customers emails posing as their card-issuing companies and asking for other information that could be used to make fraudulent purchases with the card numbers.”