That the recent data breaches at Target and Neiman Marcus have retailers on edge. It's something that no store wants to happen to them, and at Retail's BIG Show, retail execs and vendors expressed sincere concern over the hacks and restoring consumer confidence in the aftermath.
FierceRetail sat down with Neal Maguire, senior consultant of investigative response at Verizon, to understand how the recent data breaches happened, what can be done to secure customer data and what precautions every retailer needs to know now.
FierceRetail: Tell me about your role as it relates to security for Verizon's retail business.
Neal Maguire: We're the forensic investigators, so when our customers have a security breach we get brought in to conduct forensic investigations to get an understanding of the scope, magnitude, duration and impact of the security breach and what the attack vectors were that were leveraged by the criminals to get access to sensitive data. We then get an understanding in terms of what the steps are to contain the effects of the breach so that the organization is secure going forward and that data is not exposed to compromise.
FierceRetail: How does something like the breach at Target and Neiman Marcus happen?
Maguire: It depends on the motivation of the criminals behind the attacks and the level of sophistication that they have. A lot of organizations focus on things in terms of advanced persistent threats, nation-state type activities. But really what organizations need to do is they need to get a better understanding in terms of what type of data they might have within their organization that is sensitive, that might be targeted by a criminal. If they're financially motivated criminals they'll target credit card data. So organizations really struggle to get an understanding of how that sensitive data is stored, processed and transmitted or if they need that data. Is it essential? If not, delete it. If it is make sure you have the appropriate security protocols around it to make it less vulnerable.
FierceRetail: What has Verizon done to protect customer data?
Maguire: We have the solutions within our security practice that can help organizations regardless of the line of business they're in to make sure they have an understanding of what the appropriate security protocols are that need to be in place. From the perspective of the retail base, we're one of the largest QSAs so we can work with qualified security assessors, approve the payment card security internally conducting QSA assessments to help organizations achieve and maintain compliance with PCI, make sure those protocols are in place and that data is secure going forward. PCI compliance is essentially a snapshot in time, but retail organizations have an obligation not just to achieve that compliance at that point in time but to remain vigilant on a day to day basis going forward in order to ensure that PCI compliance is maintained going forward.
FierceRetail: Target and Neiman have been the big stores to make headlines, but are there breaches we don't hear about? Are these hacks more common than we think?
Maguire: What happens is that there are breaches that take place and organizations are, for a variety of reasons, reluctant to disclose a breach has taken place. Why is that? It's because of the cost of a breach. The risk to the brand, reputation of the organization, damage to customer data, customer willingness to shop at that organization if there's been a breach, financial risk, litigation risk, regulatory risk. So many organizations, when there is a breach, they're reluctant to disclose that they've been victimized. Often, if there's rumor or speculation that there's a breach, compelling evidence that indicates there's been a breach, a lot of organizations will hire a firm like Verizon to do an investigation and make a determination if there's definitive evidence of a breach, and if we find that definitive evidence then it's a situation where the victim organization will work to comply with notification requirements.
FierceRetail: What can retailers do to restore consumer confidence after a breach?
Maguire: I think it's being transparent in terms of sharing with the customer. Acknowledging that there's been a situation that affects them and being transparent that they recognize how important security is and they put forth a plan of corrective measures, the remediation steps, that are being taken to make sure that customer data, not just payment card data but personally identifiable information is secure and that they're transparent in terms of what their objectives are in terms of achieving those goals.
FierceRetail: In your opinion, have Target and Neiman Marcus done that?
Maguire: I can't comment specifically on individual security breaches, but I think overall any organization that stores, processes, transmits payment card data, sensitive data, personally identifiable data has an obligation to secure customer data to maintain that level of trust.
Click here for more FierceRetail coverage from Retail's BIG Show hosted by the NRF!
Neiman Marcus Confirms Credit Card Data Breach
Target Data Breach Gets Worse, 110 Million Shoppers At Risk
More Target Trouble: Thousands of Gift Cards Fail to Activate
Target Admits Encrypted PIN Data Was Stolen In Data Breach
Macy's And Barneys Among Stores To Post Shoppers' 'Bill of Rights'