Stores and card processing companies have reported a steady stream
of security breaches for years without a major backlash from
consumers, such as those disclosed by TJX Cos in 2007 and by
Heartland Payment Systems Inc in 2009.
But the latest thefts — including attacks on Target Corp and Neiman
Marcus — have involved a broad set of merchants and could mark a
watershed moment for security standards as calls grow for changes in
the protection of consumer information.
One sign of the change is a new enthusiasm for payment cards that
store customer information on computer chips and require users to
type in personal identification numbers.
Mallory Duncan, general counsel of the National Retail Federation
that represents Target, Wal-Mart and other big stores, said in an
interview on Sunday that the trade group encouraged its members to
upgrade to the higher-security cards even though they cost more than
old systems that store data on magnetic stripes.
The breaches are "unfortunate but we're not entirely surprised,"
Duncan said at his organization's annual convention now being held
in New York.
"The technology that exists in cards out there is 20th-century
technology and we've got 21st-century hackers," he said.
Duncan said the trade group had only made its backing for the
higher-security cards public since the Target breach. Banks have
quietly begun to offer the cards but mainly for customers to use
while traveling. Big U.S. card networks led by Visa Inc will not
require the higher security until next year at the earliest.
It is not clear the new "Chip-and-PIN" cards would have prevented
the breaches at Target and elsewhere. At the very least they make
stolen data harder to re-use, a reason the technology has caught on
widely in Europe and Asia.
They have met with much less enthusiasm in the United States, in
part because losses to fraud — just 5 cents for every $100 spent via
plastic — have been manageable for merchants and their banks. But
rising fraud rates, and the risk of identity theft, could change the
The new scrutiny began last month after Target of Minneapolis
disclosed it suffered a massive data breach during the holiday
shopping season. Target said on Friday the breach was worse than it
initially thought and that hackers stole the personal information of
at least 70 million customers, in addition to some 40 million
payment card numbers.
Investigators believe that hackers used malware that captured data
on customers from the magnetic stripes on their payment cards. Since
Target's disclosure the more upscale store chain Neiman Marcus has
said it also suffered an attack, and sources have told Reuters that
at least three other well-known U.S. retailers have been breached
but not come forward.
[to top of second column]
In his first interview since it disclosed the breach, Target
Chairman and Chief Executive Gregg Steinhafel told CNBC the company
moved quickly after it confirmed it had a security issue on December
15, though it did not disclose the problem until December 19. The
time allowed Target to eliminate the malware that had compromised
its systems and to prepare its stores and call centers for its
announcement, he said.
Steinhafel did not offer many more details and noted an ongoing
"Clearly we are accountable and we are responsible — but we are
going to come out at the end of this a better company and we are
going to make significant changes," he said, according to the
Duncan, the trade group official, said no other members had told the
NRF they had been breached, and a series of other executives said in
interviews since Saturday that they also were not aware of breaches
at their companies. The executives included representatives of Sears
Holdings Corp, JCPenney Co, Macy's Inc and Gap Inc.
Still, the breach was the talk of the massive conference with 29,000
industry attendees at New York's Jacob K. Javits Convention Center.
Several speakers cited it during their remarks at the conference and
some tried to distance their companies from vulnerabilities.
Dan Morrell, assistant treasurer of drugstore chain Walgreen Co,
said the company was "spending a lot of time and the right
investment dollars" to protect its data and its customers.
Stan Lippelman, vice president of marketing at Bass Pro Shops, a
privately held outdoor goods seller, said: "We feel very comfortable
with where we are at. But ... the fact that it happens to Target
means it can happen to anybody, right?"
(Additional reporting by Jim Finkle and Dhanya Skariachan in New
York; editing by Stephen Coates)
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.