Target announced last week that credit card information from 40 million of their customers had been stolen. This will have negative consequences for all parties involved for months to come.
This security breach included not only debit/credit card numbers but their expiration dates, the security codes (CVV) and the customer names. After the security lapse was detected, it was also confirmed that several of the card accounts taken had already been sold and used; it hit pretty close to home here in Central Ohio.
According to TechCrunch, Target could be looking at a fine of $90 for each cardholder with data that was compromised. If you do the math, that’s $3.6 billion. That does not include the numerous lawsuits, money spent to revamp internal security measures, suspensions by credit card merchants, and more. This was also in violation of privacy regulations which is sure to get attention from governing bodies (PCI DSS in particular).
Even worse for Target, The Wall Street Journal reports the number of transactions at Target during this past weekend has slipped 3% to 4% compared to this time last year. This, during the busiest shopping time of the year, won’t be good news for Target shareholders.
JPMorgan Chase has released a statement to its customers on Saturday regarding impending limitations on their accounts due to the Target breach. Each customer will be limited to $100 in cash withdrawals and $300 in total debit/credit card purchases per day. These limitations will apply to roughly 2 million customers, around 10% of JPMorgan Chases current customer base. So, on top of their credit information being leaked, they will also not be able to use their card as usual during the biggest spending time of the year.
JPMorgan Chase has not given a firm time frame on how long they plan to uphold the restrictions. However, they have put plans into place to allow more than $100 withdrawals at banking facilities, and they will be issuing new cards to all those put at risk in the coming weeks.
Credit cards issued in Europe and other parts of the world use an encrypted microchip to avoid these types of situations. These cards have been in use for several years and the U.S. is simply behind the times. The magnetic strip that we still use in the U.S. makes copying data at the transaction point much easier .
This data breach occurred at the credit card and Point of Sale (POS) level but could just as easily have occurred from data at rest. That same data can be stored on retired POS machines, failed or replaced server hard drives, and backup tapes. All it would take is a few of those to go missing from a data center, or an IT storage room, and you could be looking at a very similar situation. In fact, more data breaches occur due to data at rest (stolen laptops, hard drives, backup tapes, USB drives, etc.), than network intrusions. It is imperative that data vulnerability be addressed from the creation of data to its end point.