The big news this week in cyber security is Target’s report that approximately 40 million of its credit and debit card accounts were compromised. This happened right in the midst of the biggest shopping period of the year. The timing could not have been worse. Thieves were able to learn card numbers, expiration dates, and the three-digit security code that appears on the back of the cards.
Credit card theft is one form of identity theft. Identity theft is actually a set of crimes in which thieves steal any kind of personal information that could bring them financial gain. That includes names and addresses, social security numbers, student and auto loan information, mortgage information, and, of course, credit and debit card numbers.
Identity theft has grown more popular as thieves have become increasingly aware that stealing such valuable information has gotten easier. It has gotten easier to carry out these crimes thanks to an exponential growth in the number of malicious programs that are available to compromise data systems. According to one report, the number of programs that have been written to steal personal information grew from 1 million in 2007 to 130 million earlier this year. This includes malware that directly attacks point-of-sale systems. The reward for successful thieves is great, as they can then sell this information to others and typically fetch between $10 and $50 per card. The potential payout combined with the ease with which such crimes can be committed make this an increasingly attractive option for criminals.
The impact on business is staggering. It is estimated that these kinds of attacks cost businesses about $220 billion worldwide each year. While most data breaches do not reveal customer payment information, including recent attacks against The New York Times, Evernote and LivingSocial, the ones that cause the most consternation among consumers, of course, are the ones that do. As consumers, we are more likely to remember the breaches that do leak credit card information, such as the successful attacks against TJ Maxx in 2005 and the Sony Playstation network in 2011. TJ Maxx, in fact, had to pay a settlement of $9.7 million in 2009 for the attack they suffered. It is estimated that it costs a company about $150 to $250 per card stolen. That number includes legal fees, identifying and removing the malware to contain the threat, and the cost of notifying customers. Of course, companies can recoup these costs by passing it on to consumers in the form of higher prices. The harder cost to gauge, and the one that could mean greater trouble for the company over the long term, is the impact on customer good will.
Clearly, Target is aware of this potential for long-term damage. Target did the right thing getting the news out quickly, even if it meant disclosing the information during the height of the Christmas shopping season. While that may impact sales for them this season, they have served their customers well by asking them to be vigilant in checking their statements. Coming clean, always the best thing to do from an ethical standpoint, was also the best thing Target could do for its business in this situation. There is no reversing the fact that the breach happened. It’s up to computer scientists and other security experts to figure out how it happened and how to prevent it from happening in the future. In the meantime, Target has warned the customers of its 1,800 stores to look out for suspicious activity on their accounts. That’s the best thing it could do.
The good thing for consumers is that, In almost all cases, the banks cover the immediate losses for them. Customers rarely have to pay a dime in these situations, and the only thing they suffer is the hassle of having to get a new card. As identity theft grows, of course, it is unclear whether this will be a sustainable practice for the banks. That is why we tech types in Computer Science have to do our reduce the vulnerability of these commercial data systems. The Grinch may steal Christmas, but we geeks will be the ones who save it.