Industry Transformers: Cyber Security
2015 will be a very exciting year for CSG’s prestigious content writers and industry experts
This year, our editors have unanimously agreed on a select collection of topics. Industry Transformers will highlight companies & executives who have managed to stay relevant in this ever changing environment. They will outline how businesses and people must evolve, adapt, and transform in order to become top leaders in the marketplace.
Enjoy our second topic: Cyber Security
Apparel & Department Store Retailers
Neiman Marcus Group’s networks were breached in 2013. The Neiman Marcus Group, which owns Neiman Marcus and Bergdorf Goodman, has said it was not aware of the data theft until mid-December. It was later discovered that the data breach occurred from mid-July through October 2013. The Dallas, Texas based high-end retail chain was quick to inform customers and continued to post updates on its website during the investigation.
It was determined that the number of potentially affected payment cards was approximately 350,000. Approximately 9,200 of those were subsequently used fraudulently elsewhere. The investigation did not uncover any evidence to indicate that the criminal cyber-security intrusion impacted customers that shopped online. There was no fraudulent activity on Neiman Marcus or Bergdorf Goodman cards. Unless a private label card is used, retailers do not always have direct contact information for customers, making it more difficult to isolate and let specific individuals know they’re affected. This has been a concern for other retailers as well.
The Neiman Marcus Group continues to offer high-quality goods and is known for exceptional customer service. Over a year after the data breach was discovered and announced, Neiman Marcus launched its own mobile payment system. The leading retailer is integrating payment technology into its already successful store app. The NM Mobile Wallet is the first deployment of a mobile wallet capability created specifically for a retail card partner, enabling customers to quickly and easily make in-store purchases at Neiman Marcus Group stores without their physical credit card.
Discount, Dollar, & Hardware Retailers
Over and Under the Radar
Many in the know say that companies which haven’t been hacked as yet, simply have yet to discover the crime.
The now infamous credit card security breach at Target was recently estimated to have cost the retailer between approximately $162 million to $191 million, thus far. The catastrophe cost several high-ranking Target executives their positions, including company CIO, Beth Jacob, who had maintained her position since 2008. As announced in a statement by then under-fire CEO Gregg Steinhafel, Jacob ‘resigned’, just less than a year ago. Steinhafel himself resigned two months later.
Here, it was likely that there were other factors contributing to this CEOs ouster, including the company’s ultimately disastrous landing in Canada. Certainly, counting breach-losses into the mega millions had to be a factor. In fact, with Steinhafel’s departure, a number of articles appeared declaring that while previously it was thought that the CIO position was at the top of any breach-endangered hit list, it now appears that the executive-ante has risen, in the wake of this cyber-attack.
The amount of customer confidence lost is more difficult to approximate. However, the ultimate damage does appear to have been minimized by Target’s concerted appeal to the public and respective credit card companies, through a media-based assault. This sought to proactively help all concerned to understand the relative ‘normality’ of the situation, in light of the rapidly expanding complexities of Internet security and internationally-based cyber-criminal activities.
Quickly after the Target breach was announced, any call to most credit card companies, was greeted by an automated explanation of the breach and the many costly services being explicitly offered to prevent further damages to any affected individuals, free of charge. At the top of most lists were Target sponsored identity protection services.
Since the Target breach, there have been numerous corporate hacking intrusions, most notably including Home Depot and Sony, though the latter largely was limited to internal, employee emails and data. While the Home Depot breach is ultimately expected to be even larger in scope than Target’s, the hit to respective retailer reputations is thought to be considerably less for Home Depot, due to a numbness factor after the extraordinary efforts Target set in place to explain the increasing commonality of these events.
On January 29, of this year, insurance giant, Anthem, Inc. discovered that cyber attackers had gained access to its IT system and had obtained personal information of both current and former costumers, as well as employees. The hit is believed to have stolen data from over 80 million unsuspecting souls.
Shortly after the Anthem hack became the lead story on most national news broadcasts, casual calls to major credit card companies offered virtually no introductory warnings as to the dimensions or ramifications of the hack, or its consequences. Unlike the aftermath of the Target breach, alarm here was merely minimized. Even after a week, few bankers had much to say about problems engendered by the Anthem attack.
On Friday February 20th, current and former Anthem clients, received a four page, unsigned email from the insurer. It was titled, Important message from Anthem, Inc. and covered the basics of the breach, noted three fraud prevention tips and offered two no-cost identity protection services. Here one must wonder why the personal data of former clients hadn’t been removed from their system’s general accessibility, especially at this time of heightened risk from hackers.
For a number of recipients, this document arrived at 4:41 PM, late on a Friday afternoon. This is typically the time when entities, from political parties to troubled corporations, tend to issue notices of unpleasant news which they are reluctant to release. Here the hope is that, as this is a time when most people, including prominent members of the press, are gladly leaving work for the week, the story will engender minimal readership, publicity and impact.
Even recently, results and assessments of the Target breach continue to make news. The fiscal cost continues to evolve. The loss of goodwill and customer confidence however seems to have been minimized, due in large part to Target’s strongly proactive approach to the crisis, in conjunction with many financial institutions.
The Target crisis does appear to have raised expectations as to level of executive culpability expected by the public and the media for such dynamic, far reaching crises. Much of Target’s financial losses from the crisis, were derived from costs incurred from implementing credit fixes and preventative maintenance for affected clientele.
Does an unsigned, benignly entitled email, arriving at an odd hour, indicate high-level executive worry from an insurance giant? Are maintenance costs being avoided? Time should tell.
Drug Store & HBC Chains
Exactly one year ago, Sally Beauty Holdings first issued a statement that its systems ‘detected an unauthorized attempted intrusion’ into its network. The company acknowledged that ‘fewer than 25,000 records containing card present (track 2) payment card data may have been illegally accessed on our system. As a result of the continuing investigation, we now understand that a larger number of additional records containing payment card data may have been illegally accessed and removed from our systems.’ However, Sally refused to speculate on the total scope of the incident at that time.
A couple of weeks after acknowledging the breach, Sally announced that it would offer any of its potentially affected customers one free year of credit monitoring and identify theft protection, a proactive move that was received fairly well in the industry. Subsequently, the company pumped hundreds of millions of dollars into cyber security efforts, as well as its investigation into the original breach. Yet, this announcement has been Sally’s last formal update on its website where it has been directing potentially affected consumers to go. It states ‘As we have said previously, we will not speculate on the scope of our recent data security incident until the forensic review progresses because experience with such incidents at other retailers has taught that it is difficult to ascertain the extent of a data breach incident until the required forensic review is complete.’
It appears that Sally has learned the missteps of previous retailers and is performing a diligent review prior to releasing the full scope of damage. With a year gone by since the first announcement (and the end of some customers’ free credit reporting), the public should be due for an updated response very soon.
Grocery & C-Store Chains
In 2011, Supermarket News ran a story called, “Retailers Overconfident About Cyber Crime: Report”. It discussed the fact that more than 70% of retail and consumer executives felt very or somewhat confident that their information security practices were effective. Fast forward to 2015, and CNN Money reports that in the last year, almost half of all American adult’s personal information has been exposed by hackers, equating to more than 432 million accounts.
Supermarkets such as Raleys, Bashas, Schnucks, Supervalu, and Albertsons have all reported some type of security breach. Just this week it was reported that Natural Grocers by Vitamin Cottage is investigating a “potential data security incident.” While there have been no reports of fraud, and no codes were accessed, the company has hired a third party data forensics firm to investigate. The company says that while the investigation is ongoing, it plans to accelerate its plans to update all of its POS systems and new PIN pads that accept secure chip and PIN cards.
While these companies learned the hard way about cyber security and fraud, companies like Kroger and Publix are taking a more preventative approach. Kroger is among the many companies that comprise the National Association of Federal Credit Union, which is promoting businesses adapting more card readers with more secure EMV-chip technology. Publix has already started implementing new card readers in all of its stores and also accepts Apple Pay.
The problem with many of these attacks is that once it happens, not only has customer’s information been breached, but also it negatively affects the company’s reputation. As a result, many companies that don’t do anything to prevent fraud, or “have plans to in the future” almost seem as though they operate off the mentality of “it’s better to ask for forgiveness.” At the end of the day, customers only have so many options when it comes to being in control of how they pay, where they shop, or of what happens to their credit card information. Customers are putting their trust in the company when they shop there and therefore, it is the company’s responsibility to make sure they do everything to keep that trust and customer’s information safe.
Chick-fil-A: The Cows Did It
On farms across America, cows are secretly setting up barns full of computers and other digital devices in order to hack into Chick-fil-A’s security system which houses the information of its chicken-hungry customers. Many sources say that there have been reports of “unusual activity” on customer credit and debit cards – all of which have a connection to Chick-fil-A.
It wasn’t until late December 19, 2014, that Chick-Fil-A received the initial report of “limited suspicious payment card activity” at “a few of [their] restaurants.” Immediately, the company launched an investigation and started working with leading IT security firms, law enforcement, and their payment industry contacts. Chick-fil-A even uploaded a page on the company’s website specifically devoted to the investigation.
According to Brian Krebs, founder of the KrebsOnSecurity website, “the bulk of the fraud seemed concentrated at locations in GA, MD, PA, TX, and VA.” Krebs also suspected that the Chick-fil-A restaurants impacted were franchised locations that potentially share an outsourced point-of-sale system.
While the investigation is still on-going, Chick-fil-A remains transparent and devoted to its loyal customers by stating that “if the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts – any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card. If our customers are impacted, we will arrange for free identity protection services, including credit monitoring.”
For now, farmers are urged to report any suspicious activity occurring on their farms. For everyone else, they are encouraged to “Eat Mor Chikin.”