Lessons From Target's Data Breach Fumble

Lessons From Target's Data Breach Fumble
Joe Raedle/Getty Images
By Jennifer Schlesinger | @jennyanne211

As the risk of data breaches are on the rise, so are the number of attacks and financial impact on American businesses.

For executives at companies experiencing data breaches, the consequences can be even more dire. It can cost managers their jobs.

Five months after Target's (TGT) holiday data breach, the retailer's former chairman and chief executive Gregg Steinhafel stepped down from his more than $23 million-a-year position. While Steinhafel also faced criticism for Target's Canadian expansion, the massive breach -- which included leaked credit and debit card information for millions of customers -- likely played a role, according to analysts.

%VIRTUAL-article-sponsoredlinks%"Gregg [Steinhafel] led the response to Target's 2013 data breach. He held himself personally accountable and pledged that Target would emerge a better company," the company said in a May 5 statement.

Craig Carpenter, a chief strategist at cybersecurity company AccessData, said the information security community believes the resignation will "help raise information security to a C-level [corporate] issue."

Business managers are paying closer attention to information security because the costs of data leaks only are expanding.

Since last year, data breaches on average have risen 15 percent to $3.5 million, according to a new study by IBM (IBM) and the Ponemon Institute, a researcher on data protection and information security.

The costly damage to a business includes expenses related to seeking experts' help, the actual company investigation and any loss of customers. Part of the 15 percent increase can be attributed to more customer records being stolen.

Here's what corporate executives and business managers need to learn about data breaches.

Cybersecurity Is Everyone's Issue

After data breaches, the person who usually takes blame is the chief information security officer or the chief information officer, Carpenter said. In the case of Target, the chief information officer resigned in March before the chief executive's departure.

The acknowledgement that all senior managers are responsible for data security is part of the challenge.

A study by cybersecurity firm Stroz Friedberg found that just 45 percent of senior management acknowledged they are responsible for protecting against cyberattacks.

Shawn Henry -- cybersecurity expert and a former executive assistant director of the FBI -- said companies need to acknowledge every employee is responsible for cybersecurity, not just the tech guys. "Technology is a piece of the solution but it's not the sole solution," said Henry, now president of cybersecurity company CrowdStrike Services.

Detect Breaches and Mitigate Effects

Experts also told CNBC that companies receive so many cybersecurity threats that they need to learn to detect breaches and mitigate the effects, instead of setting the unrealistic goal of trying to block all attacks.

AccessData's Carpenter said larger companies see thousands of cybersecurity alarms every day.

Communication Is Key

Corporate executives also need to learn how to effectively communicate data breaches, Henry said. Letting consumers know about a breach early on can help prevent damage to a business's reputation.

Target waited to comment on their breach until after it was announced by security blogger Brian Krebs. Then, the retail giant revealed in January that even more customers were affected than originally announced.

"[Businesses] need to understand what to do when they face one of these breaches, who to communicate with, how they rally their troops, how they deal with regulators," Henry said.

Why Your Bank Thinks Someone Stole Your Credit Card
See Gallery
Lessons From Target's Data Breach Fumble

One reason why Marquis' gas purchases might have triggered a fraud lockdown? Filling their tank is a common first move for credit card thieves.

"Some of the things they look at are small-dollar transactions at gas stations, followed by an attempt to make a larger purchase," explains Adam Levin of Identity Theft 911.

The idea is that thieves want to confirm that the card actually works before going on a buying spree, so they'll make a small purchase that wouldn't catch the attention of the cardholder. Popular methods include buying gas or making a small donation to charity, so banks have started scrutinizing those transactions.

Of course, it's not a simple matter of buying gas or giving to charity -- if those tasks triggered alerts constantly, no one would do either with a credit card. But Levin points to another possible explanation: Purchases made in a high-crime area are going to be held to a higher standard by the bank.

"It's almost a form of redlining," he says. "If there are certain [neighborhoods] where they've experienced an enormous amount of fraud, then anytime they see a transaction in the neighborhood, it sends an alert."

(Indeed, Erin tells me that one of the gas purchases that triggered an alert took place in a rough part of Detroit, which she visited specifically for the cheap gas.)

People who steal credit cards and credit card numbers usually aren't doing it so they can outfit their home with electronics and appliances. They don't want the actual products they're fraudulently buying; they're just in it to make money. So banks are always on the lookout for purchases of items that can easily be re-sold.

"Anytime a product can be turned around quickly for cash value, those are going to be the items that you would probably assume that, if you were a thief, you would want to get to first," says Karisse Hendrick of the Merchant Risk Council, which helps online merchants cut down on fraud. Levin says electronics are common choices for fraudsters, as are precious metals and jewelry.

Many thieves don't want to go through the rigmarole of buying laptops and jewelry, then selling them online or at pawnshops. They'd much prefer to just turn your stolen card directly into cold, hard cash.

There are a few ways that they can do that, and all of them will raise red flags at your bank or credit union. Using a credit card to buy a pricey gift card or load a bunch of money on a prepaid debit card is a fast way to attract the suspicions of your credit card issuer. Levin adds that some identity thieves also use stolen or cloned credit cards to buy chips at a casino, which they can then cash out (or, if they're feeling lucky, gamble away).

When assessing whether a purchase might be fraudulent, banks aren't just looking at what you bought and where you bought it. They're also asking if it's something you usually buy.

"The issuers know the buying patterns of a cardholder," says Hendrick. "They know the typical dollar amount of transaction and the type of purchase they put on a credit card."

Your bank sees a fairly high percentage of your purchases, so it knows if one is out of character for you. A thrifty individual who suddenly drops $500 on designer clothes should expect to get a call -- or have to make one when the bank flags the transaction. If you rarely travel and your card is suddenly used to purchase a flight to Europe, that's going to raise some red flags.

Speaking of Europe, the other big factor in banks' risk equations is whether you're making a purchase in a new area. I bought a computer just days after moving from Boston to New York, and had to confirm to the bank that I was indeed trying to make the purchase. Levin likewise says that making purchases in two different cities over a short period of time raises suspicions.

"I go from New York to California a lot, and invariably someone will call me [from the bank], " he says. Since one person can't go shopping in New York and California at the same time, any time a bank sees multiple purchases in multiple locations in a short period, it's going to be suspicious.

Read Full Story