Consumers and companies are vulnerable to hackers and identity thieves even after U.S. authorities arrested a man they said was a master hacker who stole 170 million credit and debit card numbers.
Estimates on the total financial impact of breaches vary, but a study by Forrester Research put the cost at $90 to $305 per compromised record when considering the cost of upgrades, notifying customers and legal and marketing expenses.
Under our banking laws, it's the financial institutions that will be stuck paying for fraudulent use of credit cards. We have the consumers responsible for $50 and the rest winds up on the card issuer, said Joel Reidenberg, a professor at Fordham Law School who teaches privacy law.
Banks in turn pass along costs to retailers as fines and fees.
On Monday, three men were indicted on charges of stealing more than 130 million credit and debit card numbers in what U.S. authorities said they believed was the largest hacking and identify theft case ever prosecuted in the United States.
Former government informant Albert Gonzalez, 28, in jail in connection with other hacking cases, has been accused of masterminding the theft. He was charged along with two Russians with conspiracy to gain unauthorized access to computers, to commit fraud in connection with computers and to damage computers, and conspiracy to commit wire fraud. Prosecutors have not divulged the Russians' names.
Card numbers were stolen in those breaches from credit-card processor Heartland Payment Systems and retail chains 7-Eleven Inc and Hannaford Brothers Co, a unit of Belgium's Delhaize Group, prosecutors said. They said the men targeted two other corporations, which they did not name.
Gonzalez's attorneys did not return calls for comment.
Gonzalez pleaded not guilty to last year's charges of hacking into the systems of several major retailers, including TJX Cos Inc. Prosecutors have said that 41 million numbers were stolen in the TJX case.
Charging this individual is a great development, but hacking and other forms of fraud are pervasive these days, said Beth Givens, executive director of the Privacy Rights Clearinghouse, a nonprofit organization in San Diego.
Gonzalez is accused of breaching computer networks of companies that have said they met tough standards set by the payment processing industry.
His alleged crimes would account for a majority of compromised records, which Givens' group puts at 263 million.
But Givens thinks that number is a fraction of the compromised accounts.
She said many companies never disclose that they were attacked or do not reveal the total number of compromised cards, as states only recently began requiring.
Linda Foley of the nonprofit Identity Theft Resource Center said she has not seen a decline in reported incidents since Gonzalez was jailed. That tells us there's more hackers out there, she said.
Whether improved payment card security is necessary and who should pay for it has become an issue for retailers, banks and consumers worldwide.
Experts said one weak link jeopardizes the whole system because payment networks are intertwined.
Accusations against Gonzalez bear this out.
Prosecutors have said that starting in 2003 Gonzalez and accomplices drove around Miami looking for stores with poor wireless security, and used that vulnerability to tap into corporate computer networks.
They learned techniques including planting software to steal customer payment information, break encrypted PIN numbers and park data offshore, according to prosecutors.
To counter such attacks, the payment industry began requiring merchants to meet tougher security standards.
But prosecutors have said that in the latest case Gonzalez and the two Russians were able to breach several companies that said they met these standards.
Gartner Inc security analyst Avivah Litan said card companies and banks should take additional steps such as adding computer chips to cards or requiring more data encryption on their networks. The case against Gonzalez shows the current standard wasn't effective, she said.
Officials at Visa and MasterCard, the two largest card networks, were not available for comment.