[BreachExchange] Retailers fight to silence customer data breaches

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jun 6 10:10:32 EDT 2016


b
http://www.engadget.com/2016/05/31/retailers-fight-to-silence-customer-data-breaches/

A consortium of retailers, including Target and Home Depot, vowed to fight
a data breach notification bill. The bill, HR 2205 from Reps. Randy
Neugebauer (R-Texas) and John Carney (D-Del.), would require companies to
tell customers when they've been hacked, and would also require the
encryption of data in both storage and transit. It would hold retailers to
the same data security standards as the financial sector.

The large and powerful Retail Industry Leaders Association (RILA), sent a
letter on Tuesday to House leadership saying that "It makes no sense to
take one industry's regulations and apply it to a large segment of the
economy without understanding the consequences."

RILA's letter claims that applying bank security rules to retailers imposes
unfair regulations, specifying one that would require a criminal background
check for any employee handling credit or debit card information.

But that's not actually what the bill's legislative text says. The section
mentioning background checks explains that retailers should "adopt the
measures that the entity concludes are appropriate." Employee background
checks would be for "employees with responsibilities for, or access to,
sensitive financial account information or sensitive personal information"
-- only if the retailer decides it makes sense.

The American Bankers Association and other finance groups think it's about
time Big Retail started sharing responsibility for cybersecurity, and sent
this joint letter in support. Big Banking said, "In our view, protecting
consumer information is a shared responsibility of all parties involved."

Until now, RILA and other retail groups have been generally supportive of
creating a national breach-notification standard -- but just to replace the
current mishmash of state laws. A Federal breach law is now inevitable, but
an effective one isn't.

It's awfully conspicuous that nearly all of RILA's "premiere members" are
retailers on "biggest breaches of all time" lists. The group's top dogs
read like who's-who of breached companies, including Target, Home
Depot,Best Buy, JC Penney, Lowe's, Walgreens, and Walmart.

Combined, these companies lost the sensitive records of hundreds of
millions of people. They also behaved badly when it was time to notify
customers that their personal and private information had been stolen on
the retailers' watch.

Most of their customers found out they were victims by reading about it in
the news. But many likely got their first 'notification' of a breach when
their identities were stolen -- one in five, to be exact. For the actual
victims, finding out probably stands out pretty vividly in their minds
among the more traumatizing indignities they've suffered courtesy of an
American retailer... outside of People of Walmart. In case you don't know,
identity theft manifests in life-ruining fraud pertaining to mortgages;
ATM, debit and credit cards; student loans; IRS and Social Security fraud;
and use of identity for unauthorized medical services. It ruins your
credit, can make you lose your house, and will drain your bank account in
one way or another.

Most of the millions of people who were victims of these seven retailer's
breaches only found out about it against the company's wishes. Target only
admitted it reluctantly, and notified customers after the fact. And it only
came clean, because it was plastered in headlines from here to eternity,
and not because the company was acting as a concerned party in their
customers' welfare.

These corporations are used to getting what they want, including laws that
favor their protection, not consumers. It's like their business models have
consisted of outraging the natural order of accountability. This is just
another thing to make go away.

Customer breach in the news? Slap some free LifeLock accounts on 'em and
tell the press "case closed."

Maybe Target and the other six breached retailers in RILA came to the
conclusion a long time ago that cutting cybersecurity corners is worth more
than being able to sleep at night. And maybe they just can't face another
public embarrassment when they eventually get dragged once more into the
breach, as it were.

It would be a shame to see everyone dragged into another breach. Except, if
RILA has their way about it, it's likely no one would know about it anyway,
until it's way too late.

Well, the ones posting snatched home addresses and credit cards on illegal
data trade sites will know about it. Otherwise, we're just at the receiving
end of an elaborate game of finding out the hard way. It's unlikely a bunch
of Big Retail's customers will all notice they're victims of identity theft
all at the same time, but it's possible.

Though wouldn't it be nice if making us find out the hard way was something
retailers could actually get in trouble for?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160606/555fef6b/attachment.html>


More information about the BreachExchange mailing list