LAS VEGAS -- Five years after the Target data breach, massive hacks continue to plague retailers—and more importantly, their customers. In recent weeks, we've seen Sears, Panera Bread, Under Armor and the Hudson's Bay Co. (which includes Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor) all get hit. Tuesday afternoon at ETA Transact, experts provided retailers with some key tips on how to avoid winding up like these companies.
Larry Brennan, senior vice president of merchant data security and cybersecurity director for Bank of America Merchant Services, noted that he sat on a panel about 10 years ago at an event and the only major retail data breach at the time was one at TJ Maxx. Since that time, data breaches have skyrocketed. And the problem? Someone was negligent.
“To this date, we’ve never had a client who is PCI compliant that’s had a data breach,” he said. “Think about that. That’s all of these breaches over the past 10 years—and you only see the ones that hit the newspapers. I can tell you, we’ve dealt with about 200 to 300 investigations for all the smaller clients that will never make CNN or ABC. But the commonality we see out there is very simple. It’s that person in the office that clicks on a phishing email or a website they shouldn’t be on, and someone is able to get their credentials. It’s the person sitting behind the computer who is the weakest link.”
Keys to security
Moderator Don Brooks, senior enterprise engineer for Trustwave, noted that merchants need to avoid “candy bar security”, i.e., having a “hard, crunchy shell” around their data but a “soft, gooey center.” He asked the panel what they view to be the keys for retailers to prevent massive data breaches in the future.
Marc Punzirudu, director of security consulting services for ControlScan, responded that it largely depends on the type of merchant; smaller retailers may not have the staff to support a full security department. Those retailers should then seek out strategic partners that can manage security on their behalf, rather than rely on one or two people in-house to take care of everything.
As for the “bigger fish,” Punzirudu said that stepping up security needs to come from the top. Fortunately, he sees that happening. “It’s starting to get more board-level visibility,” he said. “C-level executives are starting to ask the right questions. ‘What are you doing to protect us from a breach? What are you doing in case this happens?’ These are questions that, three or four years ago, just weren’t getting asked.”
Gary Glover, vice president of assessments for SecurityMetrics, advised retailers to stop looking for an “easy button” to solve data breaches. He noted that many merchants look for a piece of hardware or software to solve the problem. “But there isn’t,” he said. “Some of the solutions don’t cost much; it’s processes. It’s procedures. It’s figuring out who is really looking at your remote access. Who is really doing your internal scans? Who is really configuring your network to try and keep people out of certain zones? We’re still seeing all kinds of architecture mistakes.”
For example, Glover still sees store locations for large retailers that are connected to each other and to the corporate headquarters. “They don’t necessarily need to be, because their transactions go directly out to the bank,” he said. “But somebody wants something from the data, so they just hook everything up back to corporate. Some of these things are just simple basics.”
Brennan advised retailers to do their due diligence and make sure they are following PCI requirements. He noted that the recent breach of credit bureau Equifax was a simple case of a company being lax. “It was just patch management,” he said. “Had they just done patch management—it’s not hard—we wouldn’t have had that breach. We’ve all probably had our credit card data compromised; you get a new card, and it’s no big deal. But Equifax—they have my date of birth, my address and my social security number. I can’t change how old I am or my SSN.”