Retailers trail on hacker defenses

Attackers savvy, spry, report says

Recent cyberattacks on Target Corp. and Neiman Marcus have the retail industry searching for ways to strengthen safeguards protecting consumer data gathered during in-store and online transactions.

But defenses against cybercrimes are lagging behind increasingly sophisticated hacking tactics, which allow more and more stolen data to be sold on black markets and leave retailers and other businesses vulnerable to attacks, according to a new report.

“It’s a lot easier to be an attacker than a defender,” said Lily Ablon, a researcher at Rand Corp. and lead author of the report.

The black market for hacking tools and byproducts, such as stolen credit card numbers, is expanding, becoming more organized and creating an even a greater threat to businesses and governments, according to the study, which was based on interviews with cybersecurity experts, including law enforcement officials and researchers.

Hackers active in digital data black markets focus on everything from stealing credit-card data and online account information to intellectual-property theft, Ablon said.

Large companies - such as Arkansas retailers Wal-Mart and Dillard’s Inc. - that likely have systems managing and protecting their customer data and transactions are susceptible to breaches, analysts said.

“You have organized crime affecting these hacks,” said Cathy Hotka, an information-technology and marketing consultant in the retail industry. “It’s difficult for a company whose core [businesses] are in merchandising and selling to be data experts.”

Julie Bull, spokesman for Dillard’s, declined to comment on how the department store protects transactions and data.

Brooke Buchanan, a spokesman for Wal-Mart, said she could not go into specifics about how the company protects its transactions and data, but said Wal-Mart has many programs in place to keep customer information secure.

“Our goal is to protect any transaction that happens at Wal-Mart or Sam’s,” she said.

Analysts said many retailers are already taking steps to protect data, such as encrypting it, but the recent cyberattacks have shown they might have unaccounted for vulnerabilities.

“Most of the really big organizations like Target and Wal-Mart have whole security departments who have very highly skilled and trained individuals … who are responsible for managing security systems,” said Leslie Hand, research director for for IDC Retail Insights, an information-technology consulting company.

That’s because retailers also are storing more purchasing data than ever before so they can use the information to craft advertisements to send to specific shoppers, she said.

“The fact that they are storing more data just makes it even more important that they are protecting it,” Hand said.

The rise in computer crimes in recent years has started to place strains on chief information officers at many companies.

Hackers breached Target in December and stole stole 40 million debit- and credit-card numbers, along with the personal information of at least 70 million people.

And then Neiman Marcus said malicious software that was installed on its system potentially collected payment card data from about 350,000 customers from July to October.

Since these attacks, both companies have changed their approach to data security and information executives have found themselves under more scrutiny. But, personnel changes have occurred as well, such as the resignation last month of Beth Jacob, who served as Target’s chief information officer since 2008.

Hand said retailers are expected to spend about $1.8 billion on security this year.

“I think a lot of [retailers] think they have done good things and they think they might be prepared,” Hotka said. “But the Target breach showed us that even companies that are doing a lot of things right can be vulnerable.”

After Target was breached and hackers stole payment card data belonging to millions of customers, some of the data appeared on black market websites within days of attack, according to the study by Rand.

Online black markets for digital data, which used to be exclusive and difficult to find, are now more organized and are easier for people, especially buyers, to access, Ablon said.

“Basically it is possible for bad guys to get their hands on military grade hacking tools for not that much money,” Hotka said.

Hotka said she has spoken to several chief information officers in the retail industry who are thinking of going to cloud-based security systems to store data.

“Instead of having an in-house person who may run up against the data breach,” she said. “They would have their data protected by professionals all day long.”

And because of all the new ways people use technology to share information, retailers are going to have to constantly update the security systems they use to manage data, Hotka said.

“There’s always a new tool; there’s always something else,” she said. “It’s never time to relax and say, ‘Here, we fixed that.’ ”

Business, Pages 23 on 04/07/2014

Upcoming Events