Blog Post
Another major retailer hit by data breach: Does anyone care?
We remember that a mere few months ago, we would check every day for data breach news, and feel emotions of both alarm and excitement when a recognizable brand stepped up onto the podium of shame. It would be a “stop the presses!” type of fluster, and we would examine the breach from every possible angle, in an effort to understand how it happened and what new lessons can be learned this time round.
However, when we started our week off, someone casually mentioned in an offhand way that Kmart just got breached, and the feeling was emotionless. We’re reasonably certain it has nothing to do with the fact that we’re slowly becoming a more jaded and bitter adult, either. Large breaches are happening over and over again, and it’s happening so routinely that it’s only marginally more interesting than watching yet another iPhone 6 unboxing video on Youtube.
Let’s just break down the Kmart hack facts real quick: just like it’s data breach brothers Target and Home Depot, Kmart was breached via malware. The retailer reported that the breach started in early September and was promptly plugged, but not before debit and credit card numbers were stolen.
Kmart also established that no personal information, debit card PIN numbers, email addresses or social security numbers were obtained by the hackers. In addition, there is no evidence that kmart.com customers were impacted.
While no figures have been announced on how many credit and debit cards have been compromised, it’s unlikely the losses are going to be as big as Home Depot’s 56 million card breach, which went undetected for 4 months.
None of that feels particularly sensational, and we’re not the only one losing interest in data breach news, either. A new study from YouGov BrandIndex shows that while data breaches are getting bigger and badder, consumers are caring less and less.
YouGov BrandIndex measured Target, Home Depot, and JPMorgan Chase, three large corporations which suffered huge data breaches within the last 10 months, on a Buzz score. The way the Buzz score works is that respondents were asked if they heard anything negative or positive about the brand within the last two weeks. A negative score meant respondents heard mostly bad things about the brand, and that the brand had an overall negative public perception. 100 is the best possible score, and -100 is the absolute worst.
Target, which was hacked in December 2013 in a breach that affected 40 million customers, dropped 49 Buzz points from 20 to -29 in only 8 days.
This year, when Home Depot lost the data of 56 million credit card customers, their Buzz score dropped only 16 points from 22 to 6 in 10 days. And when JPMorgan Chase announced their 76 million household-affecting breach, their score only dipped 13 from a 6 to -7.
Not only are the scores dropping significantly less with each big breach, but the post-breach Buzz score recovery rate is improving as well.
Maybe each company is learning from their predecessor and handling data breach PR more effectively. Maybe many of the affected customers are breach veterans, and they’re adopting the “Keep Calm” meme mentality. Maybe everyone is just getting used to the fact that companies are not capable of protecting their sensitive data. Or it may very well be a combination of all of the above.
The last point is especially worrying, though. Kmart’s press release stated that their store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems. We’re not doubting the legitimacy of that statement at all, but would like to highlight how sad a fact it is that hackers have a technological advantage over the good guys. You don’t hear about criminals with DNA that can’t be detected by crime scene forensic experts, or anti-terrorist groups with less firepower than the terrorists they combat.
Good guys are supposed to have more power, because there are more of us, and we have access to better resources. It brings to mind the scene in Iron Man where Obadiah Stane berates a scientist for not being able to build something Tony Stark could while in a cave with nothing more than a box of scraps.
One important thing to note, though, is that regardless of public perception towards data breaches, they are significantly more expensive to clean up after than to prevent. Here are the latest American figures for data breach costs in 2013 as reported in the Ponemon 2014 Cost of Data Breach Study:
Cost (US$) | |
Average notification | 509,237 |
Average detection and escalation | 417,700 |
Average post data breach costs | 1,599,996 |
Average loss business costs | 3,324,959 |
Total | 5,851,892 |
Note the word average - in the case of these larger breaches the costs are typically higher, with Target having spent $148 million USD to date.
While public perception affects the business cost loss, it has no bearing on the notification, detection and escalation, or post data breach costs. So even if it’s true that the public doesn’t care much if you get breached, you’re still losing millions.
Even if data breaches are an inevitability, there are two factors you can control, namely your security team’s response time, and the number of records stolen. While it can take months or years to build a strong data security team, securing data records can be done relatively easily. By encrypting or removing your customer’s sensitive data on your systems (which you should not be storing in the first place, according to international data privacy laws), you are leaving nothing for hackers to steal.
Ground Labs’ Data Recon data discovery tool was developed to help you do just that. It searches every corner of your computer system for all kinds of sensitive information, from credit card numbers to personal healthcare information. Once found, you can delete, encrypt, move or mask the data to make the records essentially worthless to hackers. It’s the easiest and safest way to process sensitive customer data.
Take Enterprise recon for a spin today, and find out how simple safeguarding sensitive customer information can be.