Retail giant Target thought it was putting its massive 2013 data breach nightmare to bed — a security incident that led to the theft of information that was believed to have compromised 40 million customer credit and debit card accounts. But the painful past is still haunting the company — its multimillion-dollar settlement with MasterCard has collapsed.
Target announced a settlement agreement with MasterCard in April. Under the terms of the deal, Target agreed to reimburse about $19 million to financial institutions that had issued MasterCards that were part of the data breach. The money aimed to cover the costs of MasterCard issuers around the world that had to reissue credit and debit cards to customers in the wake of the breach.
Although Target and MasterCard agreed on terms, there was a condition to the settlement: the issuers of at least 90 percent of the eligible MasterCard accounts had to accept the offers by May 20. Fewer than 90 percent agreed. In a published statement, MasterCard said, “”At this stage we will continue to work to resolve the matter.”
This Should Not Have Happened
We asked Richard Blech, CEO of cybersecurity solutions firm Secure Channels, for his take on the news. He told us the “aftermath of treating security as an afterthought” is exploding. While the banks, MasterCard and Target continue to hash out the fallout at an enterprise level, he said it is easy to forget the real loser of breaches: the consumers.
“Customers end up paying for the pay outs for the lawsuits, upgrades in security and covering the loss made by the breaches,” Blech said. “These large enterprises end up charging customers more to compensate for their products, services, lawyers’ fees, public relation debacles and advertising that goes into a company trying to recoup from the breach themselves.”
Alternatively, these companies could have chosen to deeply encrypt sensitive data and none of this would have happened, Blech said. His bottom line: Companies like Target need to invest in cybersecurity to protect consumer data rather than create pass down costs to the consumer. The best way to make money is to stop losing it in the first place, he said.
Compliance vs. Secure
Brad Taylor, CEO of cloud-based security firm Proficio, told us the massive and rampant increases of breaches in the retail sector over the past 12 months highlight the major difference between being compliant and being secure.
“Executives are realizing one does not equal the other,” he said. “All the breached retailers of the past year were compliant and still got breached. A new paradigm for security monitoring, investigation, and immediate response is needed for detecting advanced multi-tiered attacks and blocking at some point in the kill chain before a breach occurs.”
The Target data theft was the largest affecting a retailer since 2005, when data on 45.7 million shoppers was taken at retailing giant TJX, which operated several chains, including T.J. Maxx and Marshall’s. Both Target’s CEO and CIO resigned over the massive data breach that occurred from November 27, 2013 to December 15, 2013.
About a month after the breach, the company said the theft also might have exposed identifying information such as names, addresses and e-mail addresses of as many as 70 million customers. In February 2014, Krebs on Security broke the news that network credentials stolen from a third-party HVAC vendor were at the heart of the costly breach.