Ripples from the 2013 Target data breach

Data breaches have been on an upward rise for as long as I can remember, and the Target breach back in December 2013 was a part of that trend.

Between 27 November and 15 December 2013, U.S. retailer Target was subject to one of the biggest hacks that the industry has seen. Around 40 million customers’ credit/debit card information was breached; 70 million customer records were stolen; 1 to 3 million cards were sold and used in fraudulent transactions; £163 million was spent on reissuing cards that were compromised; and an estimated £46.8 million went straight into the cyber-criminals’ pockets. Monumental!

The cyber-criminals managed to implement malware into the POS system in around 1,800 stores, which caused 40 million customers to be vulnerable to fraud. In the days following the breach, Target proceeded to acknowledge the breach. The U.S. retailer said that the breach had been investigated and that customers’ names and card details had been accessed, and this included card expiry dates and encrypted security codes.

A deflection technique?

As the company noticed early reports of credit card fraud, they reportedly may have wanted to maintain their untarnished reputation and customer loyalty. One way they allegedly tried to do this was by offering their customers 10 per cent off pre-Christmas in-store purchases.

Following the Christmas season was then when they revealed that encrypted debit card pin numbers had been accessed, but assured their customers that the actual pin number was secure.

More details coming out of the woodwork post-breach

It’s still a mystery as to what Target knew and when they discovered the data breach itself. More details of the breach was revealed in January 2014, where the retailer admitted that 70 million customers had their personal records stolen. Personal information lost is thought to include addresses, telephone numbers, and email addresses.

Fear for information security

After the breach spilled into the news, many customers feared for their personal information security.

40 million card account holders represents a big portion of customers for a company. The general consensus was that “just about everyone knows someone who’s been a victim” of the 2013 Target breach.

This caused customers to question the security of using their debit cards in transactions. This was because fraudulent credit card transactions are easier to handle than fraudulent debit card transactions; where a criminal can drain the account.

New secure systems?

As a result of large-scale data breaches like the 2013 Target data breach, many card issuers in the U.S. adopted EMV technology in a bid to protect consumers and to minimise the risk of fraudulent activity.

EMV stands for Europay, Mastercard and Visa, and it’s a way of authenticating chip-card transactions. Prior to the 2013 breach, there wasn’t a rush in implementing the EMV system. However, post-Target breach, there was huge public and legislative support for the system. This EMV system was also heavily endorsed by politicians as well.

Many security experts were of the opinion that EMV alone didn’t provide adequate security. Tokenisation is a method which substitutes sensitive data that the cyber-hackers have had access to, but making it impossible for the cyber-hackers to actually use that information. Tokenisation would have prevented “aftershocks” of the Target data breach.

One-step ahead

Though there are more sophisticated cybersecurity methods such as EMV and tokenisation, hackers will always find techniques to exploit them. This is why retailers and companies should stay one-step ahead and try to keep on top of their security.

Hundreds of NHS patients may have suffered serious harm from 500,000 data breaches

Trio of data thieves have been prosecuted and fined over £400,000