Saturday, January 11, 2014

Three "Ts" - Trust, Transparency, and Target

Anyone who has ever shopped at a Target -- which, as far as I can tell, is nearly every American -- has no doubt been following the story of its security breach.

In mid-December, Target confirmed that as many as 40 million customers in the pre-Christmas shopping season "might" have had their payment information stolen. Some of us thought, Phew - Glad I didn't do my Black Friday shopping there!

But the news didn't stop there. Bit by bit, the numbers of affected customers has grown, and the amount of information stolen has become more alarming.

In today's New York Times, reporters Elizabeth A. Harris and Nicole Perlroth write that as many as 110 million people may be affected (full article, here):
Not only did Target’s announcement disclose a vastly expanded universe of victims, but it revealed that the hackers had stolen a broader trove of data than originally reported. The company now says that other kinds of information were taken, including mailing and email addresses, phone numbers or names, the kind of data routinely collected from customers during interactions like shopping online or volunteering a phone number when using a call center.

It's clear that this wasn't just a "look what I can do" attack, but a well-planned criminal venture:
Fraud experts said the information stolen from Target’s systems quickly flooded the black market. On Dec. 11, shortly after hackers first breached Target, Easy Solutions, a company that tracks fraud, noticed a 10 to twentyfold increase in the number of high-value stolen cards on black market websites, from nearly every bank and credit union.

Target has apologized regularly, and profusely -- as, of course, they should. (Although am I alone in gritting my teeth every time a store executive refers to me as a "guest"? I'm not a guest, I'm a customer. End of rant.)

Target has absolutely been doing the right thing in getting information out as quickly as possible. Transparency is key. But quick information is often incomplete information. And so there's the "bit by bit" information release that, as New York Times reporter Hilary Stout notes in a related article, has its own negative effect:
As clear evidence that the drip, drip of disclosures may be unnerving shoppers, the company on Thursday acknowledged that its sales had been slipping since the initial announcement of the security breach on Dec. 19. What started out as a promising fourth quarter, with “stronger than expected sales” turned into a dismal one, most likely down 2.5 percent from the fourth quarter of 2012, executives said. That would be bad news at any time, but it is particularly distressing given that the fiscal fourth quarter, which encompasses holiday shopping, is the most important quarter of the year for retailers.

Target has offered customers free credit monitoring for a year. Which is a reasonable first step. But to rebuild consumers' confidence in the company, Target needs to do more.

A real, if only temporary (given the ingenuity of fraudsters), solution is the chipped "Smart Card" technology used in many other countries. To date, chipped cards have proven nearly impossible to duplicate, unlike the common magnetic-strip cards used in the US. The current schedule is for banks and retailers to phase in chipped cards and Smart Card readers of the course of the next two years. Maybe Target can help lead the way.

1 comment:

  1. STOP HACKERS, NOW NEIMAN'S HAS BEEN HACKED: I was reseaching and found Spy Agent, Webwatcher and Content Project,
    but the best I found CW7 and you can get full details here:
    http://linktrack.info/.l02w

    ReplyDelete