From the Security Experts

January 09, 2009

Retail Data Security Breaches in the United States


(Editor’s Note: Public disclosure of data breaches mandated by law combined with the Payment Card Industry Data Security Standard is changing the ways retail organizations need to protect sensitive information. This article summarizes a detailed review of the current situation in order to encourage a modification of risk mitigation technologies, policies and procedures in order to reduce exposure to data breach incidents. A copy of the full 32 page study Retail Data Breach Study with all charts and graphs is available here.)

Retail organizations maintain records for their customers. When the information falls into the wrong hands, or has the opportunity to be extracted, viewed, captured, or used by an unauthorized individual, it constitutes a data breach. Currently, most states have laws that require disclosure of data breaches.
The federal government may soon enact legislation. With more disclosure and public notification laws, the reported incidence of security data breaches, an existing problem whose nature and severity we are just beginning to recognize, is growing. These public disclosures can have a profound effect on the company brand, the trust and loyalty of customers, and eventually the bottom line.
The Payment Card Industry Data Security Standard
The PCI/DSS describes 12 detailed requirements organized into six groups. These security requirements apply to an organization’s system components. The six groups of the PCI DSS are:
  1. Build and Maintain a Secure Network
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy
Trend Highlights in the Retail Industry
The average retail company stores data both electronically and on paper, all of which must be protected. When analyzing the “business” category, which is 33 percent of all data breaches across all industries, retail has second highest number of incidents but the most records compromised of any sub category.
According to research conducted by and verified on the Perimeter eSecurity Network, as shown below, records from retail organizations between 2000 and 2007 totaled 98,035,330, equal to about one third of the U.S. population. The greatest exposure and loss of sensitive data is in the form of data breaches, most often caused by hackers, theft and malicious employees. Credit card information was more than 99 percent of all information compromised in retail security breaches although this was usually accompanied by additional information making it of “high value.”
When analyzing the retail records compromised by breach source, theft is the leading category. Moreover, nearly all records are compromised while the data is within the walls of the establishment.
Based on many case histories, large public companies that experience a security breach appear to “weather the storm” better than small companies with relatively minor long term impact on their stock value. Many small companies have been known to go out of business because of the hard and soft costs associated with recovering from a security breach.
Case Histories: The TJX Companies and Hannaford Brothers
The TJX Companies Inc. experienced an "unauthorized intrusion" into their computer systems that process and store customer transactions including credit card, debit card, check, and merchandise return transactions. They discovered the intrusion in mid-December 2006. Transaction data from 2003 as well as mid-May through December 2006 may have been accessed. After numerous lawsuits and untold negative media attention, an article[i] estimates TJX expenses at $500 million to $1 billion.
In March 2008, Hannaford Brothers had a security breach affecting all of its 165 stores in the Northeast, 106 Sweetbay stores in Florida and a smaller number of independent groceries that sell Hannaford products. Credit and debit card numbers were stolen during the card authorization transmission process, but no personal information was divulged.
A company official stated that malware loaded onto Hannaford servers allowed attackers to intercept card data stored on the magnetic stripe of payment cards as customers used them at the check-out counter. The attack resulted in card data being transferred overseas and resulted in 2,000 known cases of fraud. The attack was successful in spite of the fact that Hannaford is compliant with the PCI DSS and undergoes an elaborate examination and certification required by credit card associations.
Companies in the retail industry lack adequate security measures that would prevent data leakage or compromise as well as knowledge of how to respond to a breach. Each retail organization has different needs based on its unique operations in order to maximize its security. A combination of policies, procedures, training and technology aligned with a layered security approach and risk-based analysis is available to mitigate a broad range of risks. This would reduce the number of data security breach incidents, save money and maintain customer assurance, employee morale and shareholder confidence.
An on demand security-as-a-service approach can provide an affordable, layered and compliant defense for retailers of all sizes. Retailers evaluating this approach should fully vet all service provider candidates, especially due to the current economic environment. You should make sure that providers are stable and have experienced difficult economic times before.
It is important that they provide the broadest range of services to take advantage of economies of scale, have a heavy regulatory focus and have been vetted by multiple independent third parties. Be sure to check their audited financial statements to make sure that they have been profitable for a while. Regulators are requiring many providers to achieve and maintain strong compliance. While there is an increase in expenses, there is a decrease in revenues.

Don’t forget to check out TMCnet’s White Paper Library, which provides a selection of in-depth information on relevant topics affecting the IP Communications industry. The library offers white papers, case studies and other documents which are free to registered users.

TMCnet publishes expert commentary on various telecommunications, IT, call center, CRM and other technology-related topics. Are you an expert in one of these fields, and interested in having your perspective published on a site that gets several million unique visitors each month? Get in touch.

Edited by Michael Dinan