Krebs on security, Target and why retailers need a better response to data breaches

Blogger Brian Krebs is responsible for breaking many a story about cybercrime, including Target's (NYSE:TGT) massive data breach in fall 2014 that compromised the credit and personal information of more than 70 million shoppers. But more than anything, he believes that retailers need to fundamentally change the way they respond to breaches.

When Krebs discovered a large number of accounts from Target shoppers for sale on black market sites, he alerted the retailer about the activity and outed the breach on his blog, he told National Public Radio's Terry Gross.

Today, the story of how an outside contractor managed to allow hackers access to Target's POS network, exposing every single register to malicious software is well established. But Target's slow response and offer to soothe shoppers with a year of identity theft monitoring is open to criticism.

For his part, Krebs graciously acknowledges Target's slow response as something less sinister than a cover-up or total ineptitude.

"At a very basic level, retail is an industry that has traditionally been focused on physical security, not cyber security," said Krebs. "They are in the business customer service, not security. So it takes them a while to figure things out."

For Target, that timeline is longer than it should be in the eyes of both industry insiders and Congress, which has been investigating retail security practices. The bigger threat to consumers, believes Krebs, comes from data aggregators. The very companies consumers trust to keep their personal information safe.

Companies such as Experian, TransUnion and Equifax collect consumer data and then sell it to marketers, advertisers and law enforcement. This data is vulnerable too, as evidenced by a man who posed as an investigator to buy data from Experian, according to Krebs.

And it's to Experian and its like that retailers have turned to help minimize the damage done by breaches, offering shoppers a year's worth of identity theft monitoring to ease their fears. But identity theft isn't the issue and these companies don't monitor credit card fraud.

Essentially, what Target and other retailers have done is pay for millions of shoppers to willingly give data brokers their personal information, putting them at even greater risk.

"That is the default response when companies have a data breach today, and that has to change," he said. "It's insulting."

Brick and mortar retailers will remain vulnerable to breaches thanks to large installed bases of equipment. "Once they have a system set up and working, they never touch it again," he said. "It's surprising how common this is and how much these organizations are vulnerable. I feel safer shopping online than in a Main Street store, because they are getting compromised right and left."

For more:
-Listen to the NPR interview 
-Read this NPR story

Related stories:
Retailers still unprepared for security breaches
Domino's Pizza data hackers demand ransom
How to prevent Target-like data breaches
Will PF Chang's data breach speed EMV?
Shoppers stop buying online after breaches