When Hit With A Major Data Breach, Retailers Should Use The Buddy System

There's a very old joke that when swimmers are about to go into shark-invested waters, they should always swim with a buddy. If a shark attacks, feed him your buddy. Retailers today, swimming in cyberthief-invested wireless zones, are discovering a similar guideline plays out when there is an attack against a large number of retailers, such as what happened with TJX, Hannaford, 7-Eleven and others in the Gonzalez cases.

In that instance, some 17 retailers were victimized, including at least one that has yet to be identified. The identified victim list is Target, J.C. Penney, TJX, BJ’s Wholesale, Boston Market, Sports Authority, Dave & Buster’s, Hannaford, 7-Eleven, Heartland, Office Max, Barnes & Noble, Forever 21 and DSW.

Despite those heavy-weight retail brands, only a couple have borne the vast majority of the costs and headaches associated with a breach. Why? Because the first one or two chains have to go through the expense of identifying the breached numbers and having them shut down and reissued. That task's completion makes life so much easier on the others.

The amount of time that chain employees must deal with law enforcement plummets after the first one or two, as long as the means of attack is essentially the same (as it was in the Gonzalez cases). From a PR/brand damage perspective, the first two get the star treatment, while the others are—fortunately for them—sloughed off in media reports as "other retailers victimized include...." assuming they're mentioned at all.

And the publicity—or lack of same—can also sharply influence who gets hit with the most serious lawsuits, another crucial cost and time-destroyer.

Mark Rasch, the former head of the U.S. Justice Department's high-tech crimes unit who today serves as the principal at Secure IT Experts, points out that timing is everything.

"As a company, you always want to avoid being the first public victim of a hacker or attacker. You then bear the major expense of the investigation and the publicity associated with the data breach. By the time the public learns that there were other victims, they have already blamed you," Rasch said. "Thus, when conducting an internal investigation of any attacks on your infrastructure, you want to look for patterns indicating whether the attack was targeted at you and you alone, or at others, and coordinate your investigation and disclosures with other victims and with appropriate law enforcement officials.“

Another keen observer of matters secure is Avivah Litan, security expert at Gartner. "This is a very good insight in terms of pointing out the incongruities and, frankly, the injustices associated with the costs of data breaches committed by the same criminal gang," she said.

"It is true that the first incidents in a pack bear all the negative publicity and most of the costs associated with investigating the breach and dealing with the card brands," Litan said. "It’s time that the costs get spread out equally. Not only across all affected breached entities (e.g., merchants and processors), but also across the card brands and card issuers for not providing a more secure payment system for merchants and cardholders to use in the first place."

One senior IT security executive at a major retail chain said part of the buddy problem is that there is not nearly enough data being shared by the first victims in a massive breach. "What we are not seeing is an adequate clearinghouse of information on technical details of the breaches so we can craft specific intrusion detection and data loss prevention signatures based on the sufferings of others. This would help those of us who haven't been hit, as it could help prevent future problems," said the exec. "We've had to go to several vendors and processors to get the details we needed to ensure we are safe. It would have been helpful if some of that information (e.g., the use of Cyrillic in hacker code that can easily be picked up in DLP) had been provided to us earlier on by the payment card industry, processors or banks. While this is above and beyond PCI requirements, it would serve members and cardholders equally and could be accomplished without leaking details of the investigations at those retailers."

Frustratingly, the advice to not be the first one or two retailers breached is likely to be of very little practical use to retailers. They will always try and avoid being a data breach victim. But if it happens, there's little they can do to influence where in the line they fall. If retailers want some consolation, however, being a data breach also-ran is probably not a bad thing to be.