AFP compiles the most alarming—and informative—payments fraud news relevant to corporates in AFP Fraudwatch. This column is part of AFP’s Payments Fraud Resource Center and is intended to keep you aware of the latest threats to your organization.How Has the Target Breach Impacted Retail Treasurers?
Treasurers of retail chain stores said they expect their companies will spend as much as triple the amount they already pay for cyberinsurance in the wake of the Target security breach. That’s on top of devoting additional employee hours preparing reports to show senior management and board members their cybersecurity measures.
“The board of directors are starting to ask, ‘Could this happen to us?’” said one treasurer at AFP’s Retail Roundtable, held last week in Dallas, who spoke on the condition of anonymity. “We all say we’re PCI compliant; Target was PCI compliant, too. The board wants to know your incident response plan.”
The treasurer said his board also asked many questions about his corporation’s cyber insurance coverage. “Target had an industry-leading cyber insurance policy,” he noted. “Coverages topped out at $100 million. I think the breach cost them about $1 billion—one-tenth of the insurance that they ultimately needed. The rest of us—who probably don’t have the industry-leading position they have—are probably going to triple the amount of coverage we have this year.”
The treasurer estimated that, before the Target breach, only about 30 percent of retailers had policies to cover cybertheft. “Cyber insurance is an interesting industry, because the carriers need a lot of history in order to get comfortable with the risk,” he said. “There’s not a lot of history in cyber, other than one gigantic breach that they’re now afraid of. So they’re now more interested in what your instant response plan is, what vendor you’re going to use for forensics, etc.”
One Retail Roundtable attendee noted that even though there hasn’t been much change in her company’s day-to-day operations, her department has had to produce an extra report to the board to show where the organization is, in comparison to Target. Another treasurer said that when he first learned of the Target breach, he immediately called his assistant treasurer and let him know. “By the next day, we were already preparing for a summarized presentation for executive management,” he said.
Another treasurer at the roundtable theorized that PCI standards will ultimately be enhanced to provide better protection of personally identifiable information, rather than just payment card information. “Things like bank account numbers, social security numbers—all those things don’t have a PCI-level protocol for protection,” he said. “Maybe we should; maybe that’s going to be required in the future.”
Cybersecurity standards also may soon be going beyond debit and credit cards. The treasurer noted that NACHA is currently working on PCI-like rule set for the ACH network. “That would probably be impactful for our businesses; we all use ACH,” he said. “If we had to protect ACH data the way we protect payment card information that could be a big project.”
The treasurer said that for corporates, the Target breach was a lot more significant for businesses than it was for consumers. “There’s a bit of a trust issue with Target but I don’t think even that is a huge issue for consumers,” he said. eBay Hack Compromises Unknown Number of Users
E-commerce juggernaut eBay asked users this week to choose new passwords, following the revelation that a recent data breach exposed personal information of an unknown number of eBay’s 145 million customers.
EBay said Wednesday that after conducting “extensive tests” it has found “no evidence”
that the breach resulted in unauthorized access to financial or credit card information, which the online retailer said is stored separately in encrypted formats. PayPal data is also stored separately, and users are not believed to have been affected at all by this breach.
Hackers compromised a small number of employee log-in credentials, which enabled them to access the retailer’s corporate network, eBay said. Although the attacks took place between late February and early March, eBay said the breach was only detected about two weeks ago.
Customer names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth were all compromised. “However, the database did not contain financial information or other confidential personal information,” eBay said.
Brian Krebs of Krebs on Security advised eBay users to be wary of phishing emails pretending to be eBay or PayPal, requesting that you click on a link to download some bogus security tool. “Attackers are likely to capitalize on this incident to spread malware and to hijack accounts,” he said.