Retailers are sitting on a powder keg called cybersecurity. And there’s no telling when it will blow.
This story first appeared in the October 10, 2014 issue of WWD. Subscribe Today.
For G.H. Bass & Co., it was Thursday.
The company said it “discovered that an unauthorized person had connected a small data capture device to one of the cash registers in its store on International Drive in Orlando [Fla.].” The device recorded information from payment cards, including cardholders’ names, card numbers, expiration dates, verification codes and e-mail addresses, if they were provided.
Just one register was targeted in the attack.
The attack may have been small, but G.H. Bass & Co. is only the latest company to have been hit in what has become a pandemic of cyber attacks. Rarely a week has gone by since last holiday season that one firm or another — from retailing to the financial world — hasn’t been hit by hackers, usually from Eastern Europe.
Like the government snooping on people’s cell phone calls or e-mails, which many consumers simply shrugged off, cyber attacks could be considered part of the background noise of the modern, Internet-connected world.
“Consumers at the end of the day are fully reimbursed for transactions, and because of that, folks are actually being anesthetized to breaches,” said Doug Johnson, vice president, risk management policy at the American Bankers Association. “It’s another week, another breach.”
Target, Neiman Marcus, eBay, Michaels Stores and Home Depot have had high-profile security breaches over the past year. Since banks are responsible for reimbursing consumers if their stolen credit card information is used, most of the damage to retailers has come in the form of bad p.r.
But by this time next year, retailers are going to be held accountable for the first time and on the hook to cover shoppers hurt by fraud. At that time, a voluntary liability shift will take place. Banks are in the process of deploying credit cards with EMV security chips, and it’s expected that 75 percent of cards will contain chips by this time next year. This means that retailers need point-of-sale systems that allow for the chip to be read. Johnson said that if a merchant doesn’t change out its POS system to one that reads credit card chips by next October and an unauthorized transaction occurs, the retailer is responsible.
By 2016, the majority of debit and credit cards will have chips in them and merchants will be moving towards updating their POS systems so they can read those chips (if they haven’t already).
And while some observers may think that consumers aren’t fazed by data breaches, retailers have certainly paid a high price for them. Target’s breach affected up to 70 million consumers while Neiman Marcus’ hit 350,000. (It was originally thought to have hit 1.1 million people.)
Target Corp.’s chairman and chief executive officer Gregg Steinhafel was ultimately ousted in the wake of the cyber attack on his company, after his position was undermined by a series of other missteps. Target’s bill to handle the situation from last Christmas totaled $175 million in the first half, which will be partially offset by expected insurance payments of $46 million.
So retailers should not assume that they are immune to a consumer backlash after a data breach, said Rick Gordon, managing partner at cybersecurity accelerator Mach37, a firm that invests in early-stage cybersecurity products.
“That’s wishful thinking on the part of retailers, but we’ve seen evidence on both sides that it does impact your brand,” he said.
Javelin Strategy & Research reported that 13.1 million consumers suffered from identity fraud in 2013, but that number is going to surpass 70 million this year. Consumer awareness of the problem has resulted in a spike in the valuations of the companies Mach37 invests in.
“There is widespread recognition that the cybersecurity technologies that most large companies use aren’t getting the job done,” he said. “That creates an awareness across the investor community that there is an increasing demand for solutions that work better. That’s creating a market for new innovative technologies.”
Gordon’s firm has made 17 investments since August 2013, including Secure DB and Syncurity. DB helps technophobes store sensitive information in the cloud and Syncurity markets an incident-response software that helps companies manage incidents.
Until the new, higher-security credit cards roll out next year, Tom Litchford, a vice president at the National Retail Federation, said retailers are turning to P2P encryption. With this technology, data is encrypted from the point of swipe, and if and when a breach occurs, the encrypted data is rendered useless.
Credit card companies could attach pin numbers to credit cards to fight fraud — but Litchford said the move could take up to five years and billions of dollars to complete. P2P encryption is seen as a viable solution in the near term for retailers trying to protect consumer data.
For now, the retail industry has been able to treat the security as a sideshow to their fast-growing e-commerce businesses.
“If there are not extreme consequences, the status quo doesn’t change,” Colin Gilbert, a cybersecurity expert at New York University’s think tank Luxury Lab, or L2, told WWD. “[There’s] no sense of urgency until cost in damages meet or exceed the cost required to fix the system.”
Gilbert noted that about half of the 10 biggest security breaches this year have occurred within the retail space. But will a consumer decide not to buy from Home Depot because of its breach? Gilbert said no.
He doesn’t believe it will affect the online holiday shopping season either, where people are expected to buy from their favorite e-tailers in droves.
“Consumers will not change their patterns based on who was the last to get hit,” Gilbert said. “But it’s a very different profile if you’re choosing who manages your money, savings and loans.”
He added: “Retailers are becoming a much more common victim of these types of attacks.”
That’s because they have the data the criminals want and, at least in many cases, have weak IT structures that offer the path of least resistance.