Why are there so many data breaches?
and what to do about it.
We recently saw another data breach announced by Target. It seems as if 40 million credit and debit cards were exposed and this is just one more of a rash of data breaches. In July, Harbor Freight was notified by several credit card companies that it may have been breached and Michaels Stores recently announced a data breach.
Target will recover and is unlikely to suffer any long term consequences due to this data breach. TJX was breached in 2007 and lost more credit card data (94 million) than Target. The TJX brand of stores have suffered little and the companies stock has since performed well.
Now, Target will have to pay dearly for this data-breach. There will be the cost of the investigation, the cost of notification to consumers and the many lawsuits already being filed. The lawyers will find something that Target failed to do or an area where they made a mistake. This is not because Target did not care or did not try to protect the data but because it has become virtually impossible.
Most experts agree that retailers and the “good guys” are losing the battle against the cyber-criminals. One of the reasons we are losing this battle is that the credit card system is antiquated and virtually impossible to secure. Over 130 countries including Canada, Mexico and the UK have switched their payment systems to chip and pin credit cards but the United States is behind in implementing this technology (Target attempted to implement this technology several years ago but abandoned to project).
A chip card contains a microchip that make duplicating or counterfeiting the credit card virtually impossible. Preventing duplicating of the credit cards removes one of the primary sources of income for the criminals.
Once a data theft has occurred the credit card numbers are sold on websites to individuals who then use blank credit cards to create a credit card that can then be used in physical stores to purchase goods that are then sold online or kept.
The other reason we continue to see these data breaches is that companies are using an outdated model in order to protect their IT systems. Companies tend to focus solely on passing the next audit and not on properly securing their environments. They rely on point solutions to protect against specific threats and over time they end up with so many different and disparate solutions deployed that they cannot effectively secure their environments.
I have worked in IT and security for over 15 years and I spend a lot of time with different organizations. They want to do better but with a combination of a flawed financial system and not enough resources to properly focus on implementing security and not just compliance it has become an impossible task.
I can only hope that Visa and Mastercard will truly support the Chip and Pin technology. This could reduce the requirements that organizations have to meet to be compliant because the underlying technology will be more secure. This could allow organizations to focus more on security and less on compliance.
