Nearly a year after Target Corp.’s massive and costly data breach, the company is expected Wednesday to finally show an uptick in store traffic. But as Target tries to get past 2013’s hacking while heading into the all-important holiday shopping season, analysts warn that cybercrime is heating up and that some retailers will inevitably fall victim to breaches of payment data.
“It’s just a matter of when they’re going to get hacked, not if,” says Robert Twitchell, president and CEO of cybersecurity firm Dispersive Technologies, and a cyberwarfare consultant for the U.S. Department of Defense.
Cyberattacks on U.S. retailers, at least those made public, spiked this year. At least 644 breaches have been reported so far this year, a 25.3 percent increase from the same period last year, according to the Identity Theft Resource Center. In January, Target announced that hackers stole 70 million customers’ contact information and 40 million customers’ credit and debit card information. Neiman Marcus reported that between July and October 2013, credit card information of 350,000 shoppers was stolen, and more than 9,000 cards were charged fraudulently. Hackers wrote code that allowed them to access company computers. A similar hacking took place in computers at craft chain Michaels, affecting 3 million customers.
Other attacks this year have compromised contact and login information for 233 million eBay customers, 5 million Gmail usernames and passwords, and credit and debit card information from 60 UPS stores, 33 P.F. Chang’s restaurants, 330 Goodwill stores, 2,000 Home Depot stores and nearly 400 Dairy Queen and Orange Julius stores.
“It would be a surprise if it doesn’t happen again,” says John Rose, global leader of the technology practice of Boston Consulting Group. “The cyberattack community is equally aware of the importance of the holiday season, and they’ve been working on things for a while, so you’re going to see an intensity of effort.”
As hacking incidents -- and the severity of attacks -- increase, retailers are spending more to combat cybercriminals. The average cost of cybersecurity for U.S. stores has more than doubled from last year to an annual $8.6 million per company, according to a recent survey by Ponemon Institute.
But that doesn’t guarantee they are prepared to fend off attacks.
“IT organizations have paid attention only to the ABCs of hacking,” Twitchell says. They’re adhering to PCI compliance, a government standard of basic security, but the standard hasn’t kept up with innovation, he says.
Most attacks happen when hackers enter Internet communication in-between the sender and the receiver. Traffic flows through a sequence of routers, like a connect-the-dots puzzle, and when hackers are able to access a midpoint, they can view and copy the traffic, which could include credit card information and passwords.
“The attacks being done today are no longer like what they were five to 10 years ago,” he said. “We’re in a cyber war. Nation-states are involved, and a lot of the tools these nation-states are using are finding their way into criminal hands.”
The FBI has warned U.S. businesses that the Chinese government is sponsoring cyberattacks to probe for patented technologies. According to Ponemon, most cybercriminals are no longer isolated amateurs. They belong to well-structured organizations motivated by turning a profit, often employing highly skilled hackers that execute targeted attacks.
Twitchell recommends that retailers layer security precautions, pay attention to new hacking and prevention technologies, and buy insurance. As for consumers, he advices that shoppers should be careful about the websites they visit, keep banking and online purchases to a few machines, and buy software protection.