Data breaches can happen to anyone. One just happened to Target, which announced that data involving some 40 million credit cards had been accessed. What really matters is how a company handles a breach.
Overall, Target seems to have handled things as well as most other companies in the same tough spot. That said, it has nonetheless taken a serious breach and cynically tried to turn it into an opportunity for profit. It's not the first company to do this, but let's hope it's the last.
On Friday, Target CEO Gregg Steinhafel announced a "Data Breach Sale," encouraging people to come back to Target, spend more money and give up more payment information. There are two things that make me call this cynical. First, a 10%-off sale, running on Dec. 21 and Dec. 22 (the Saturday and Sunday before Christmas), seems like something a savvy retailer like Target might have already planned to do, with or without a headline-grabbing data breach. Second, what does this do for the actual victims of the breach? They get the privilege of paying a mere 90% of the marked price if they shopped at Target this weekend, but so did everyone else.
Steinhafel's rationale? He said the universal discount was in the "spirit" of "we're in this together."
Keeping Christmas merry for Chase
When credit or debit card numbers are accessed by thieves, the typical procedure, for quite a few years, has been to shut down the affected cards and immediately issue new ones to the cardholders. Thieves know that once a breach has been discovered, they may have as little as an hour before the card data becomes worthless. That's why they use lots of accomplices to make simultaneous purchases and withdrawals, so they can monetize the stolen data while it's still worth something.
But that standard procedure has been radically modified in the case of the Target breach. JPMorgan Chase on Saturday announced that it would limit affected Chase debit cardholders to $100 in cash withdrawals and $300 in total purchases per day. Why limit the cards instead of shutting them down? It's all about the calendar.
Bankers know that for retailers (and by extension, for bankers themselves), any day in December is generally worth far more than any day in March or June. If Chase took the normal path of shutting down those millions of affected cards, the cardholders would have to finish up their Christmas shopping using other payment methods, as they wait anywhere from two days to a week for the replacement card to arrive. Does Chase want to be shut out from its share of so many last-minute holiday purchases? Apparently not, and so it decided to allow some purchasing to go ahead, while putting a limit on the absolute total loss it could suffer through fraud.
I'm expecting that come Christmas Day, when the nation's cash registers have stopped smoking, Chase will indeed reissue the cards.
The sheer volume of the Target attack could be another factor in the decision. Target said that some 40 million cardholders were affected, and Chase puts its share of those at over 2 million. That's a lot, and historically, data breach numbers have risen after their initial announcement. The process of reissuing so many cards is daunting and may have given Chase an incentive to hold off a bit.
Then there's the honeypot theory. One Chase fraud customer service employee was willing to speculate that the bank hopes that its card downgrade will serve as an after-the-fact honeypot. By publicly saying that Chase will keep these accounts open, this theory argues, the bank may be trying to lure the thieves into risking stolen-data monetization beyond the usual one or two hours.
This would be highly risky for the thieves and, given the sophistication and coordination of the attack, it seems unlikely they would fall for it. With stores on high alert for anyone using the stolen data, security personnel would be poised to immediately detain anyone using such data. ATMs would be only minutely safer. On the other hand, not shutting down the cards allows scams like this location-sorted cardholder routine to work.
Is Chase's decision too big a security risk? Perhaps, but it may not be alone -- and it may not even be the biggest risk-taker. CNBC reported that Citibank "was also imposing limits on debit cards for affected customers if it sees suspicious activity, though the extent of those limits was not immediately clear." Wait a second. This is an order of magnitude riskier, if true.
When a major retail data breach happens, the list of affected card data should include everyone whose data was accessible to -- not necessarily accessed by -- the thieves. Think of it this way: If a thief has broken into a room filled with unlocked file cabinets, the only safe assumption is that the thief might have accessed each and every file there.
What Chase is doing is limiting the access of everyone whose data might have been touched. The CNBC report suggests that Citibank is doing nothing until there's some evidence that a customer's data is being used illegally. And then, despite that evidence, Citibank is just going to impose limits on the card, not shut it down. That's positively reckless. If there is any vertical that respects security policies and their rationale, it's banks. When a bank is willing to keep a security risk open deliberately to try and preserve revenue, you could say that it has internalized one version of the holiday spirit: profit at all costs. Or maybe Chase and Citibank executives are just hoping the thieves don't want to work the holidays any more than they do.
Yes, except that the actual victims were definitely in it more than those people who didn't have their payment information compromised. How about doing something for the victims that they might actually appreciate -- like giving them partial refunds for what they had bought at Target when their data entered its soon-to-be-attacked systems.
Note to Target: When you screw up and fail to protect tens of millions of your customers, trying to use that screw-up as an upsell opportunity is not going to make customers trust you more.
A few other unsolicited tips for handling the breach aftermath:
We'll trust you when you show you can be trusted. Target, if you are going to announce that "the issue has been identified and eliminated," you should probably back that statement up with some facts. You offered zero details to back up either claim, so it was pretty much saying, "Trust me." That's exactly what those 40 million shoppers did when they used their payment cards in your stores, so you'll forgive them if they're hesitant right now to do it again.
If the issue has indeed been both "identified and eliminated," why not get specific? No need to go chapter and verse on every keystroke used, but a healthy heaping of details would go a long way toward convincing people that you've truly plugged the hole. The bad guys certainly already know where the hole was, and if you've truly plugged the hole, there's no security risk involved in telling others. Hold back a few details if you must, but by saying, "We've figured it all out and our system is now fine. Just fine. Nothing to see here. Just go back to giving us your money," you're really giving people reason to be even more suspicious.
You know, don't you, that we can see you trying to turn this into an opportunity? You announced that you would be sending emails to impacted shoppers this weekend. But your marketing never misses an opportunity to leverage a disaster. The statement said you would contact "those guests whose E-mails we have," which is a subtle plea for more shoppers to give you their email addresses. Nice try, guys, but your self-interest is showing.
Just because you don't know whether something happened doesn't mean that it didn't happen. "At this time," according to a Q&A posted on your site, "there is no indication that there has been any impact to PIN numbers. What this means is their bank PIN debit card or Target debit card still has this additional layer of protection. It also means that someone cannot visit an ATM with a fraudulent card and withdraw cash." This raises a rant, and a mini-rant.
Rant: Having "no indication" of any PIN impact is certainly different from saying, "We are now convinced that the thieves did not access any PINs." "No indication" simply means you don't know yet. That "what this means" in the statement is highly deceptive. Because if you have "no indication" yet that PINs were impacted, then you cannot be sure that the accessed debit cards still have that "additional layer of protection." And if you have "no indication" yet, then you also can't say for sure that "someone cannot visit an ATM with a fraudulent card and withdraw cash." It's not known yet. I'm sure your PR people will parse the statement differently, perhaps trying to argue that "what this means" simply introduces an explanation of what it would mean if indeed PINs weren't compromised. Another nice try, guys.
The point is that precision in these statements is critical if you're trying to rebuild trust.
Mini-rant: The lack of precision shows up in subtle ways. "PIN" stands for "personal identification number." To say "PIN numbers" is to be redundant. The reason I make note of this is because I know that IT people are bothered by that sort of redundancy, or failure to understand what an acronym actually stands for. One Target IT person, for example, told me that saying "PIN number" is "like people saying they'll put a NIC card in their PC computer just after they take cash out of the ATM machine." (If you don't get the point: NIC stands for network interface CARD, PC for personal COMPUTER, and ATM for automatic teller MACHINE.) The point is that if Target's statement issuers are sloppy enough to say "PIN numbers," they're giving you a clue that the statements they're issuing were hastily thrown together, with little time to reflect on what exactly they say.
It takes chutzpa to clarify one of your earlier slipshod statements in a way that makes it sound like you're correcting someone else. Friday's statement said, "The CVV data that may have been impacted was data in the magnetic strip and NOT the three or four-digit code visible on the card that guests use that would allow someone to make an online purchase." (Emphasis is Target's.)
Thanks for that clarification. Now, where, I wonder, would people have gotten the false impression that the three-digit code visible on the back of payment cards had been taken? Oh yes, that bit of incorrect data was in the original statement that you put out on Thursday. Someone wrote in parentheses in that statement that CVV meant the three digits on the back of the card. That statement was up for several hours before it was magically edited, making the parenthetical statement disappear.
An error like that is bound to happen when a team is responding to a crisis. I'm forgiving of that. But to clarify things without owning up that you are clarifying one of your own statements? That takes guts.
Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at email@example.com. Look for his column every Tuesday.
Read more about security in Computerworld's Security Topic Center.