When Shoppers Become Targets

Banking Leaders Say Retailers Should Bear Burden of Data Breaches

When it comes to data breaches and identity theft, Target isn’t the only target.

The retail chain made news of the worst sort in December when it reported a security breach that compromised the financial information of tens of millions of customers.

The fallout affected the banks that issued the credit and debit cards that were compromised, and since that event, banking-industry leaders have been speaking out about the impact of such breaches on their operations.

“When a retailer like Target speaks of its customers having ‘zero liability’ from fraudulent transactions, it is because our nation’s banks are making customers whole, not the retailer that suffered the breach,” said James Reuter, executive vice president of Colorado-based FirstBank, representing the American Bankers Assoc. (ABA) in testimony before the Senate Banking Subcommittee on National Security and International Trade and Finance.

“Banks swiftly research and reimburse customers for unauthorized transactions,” he continued, “and normally exceed legal requirements by making customers whole within days of the customer alerting them.”

High-profile breaches like the one that befell Target have reignited a long-running debate over consumer data-security policy. The issues being discussed include what security and breach notification standards should apply to businesses, and who should be responsible for covering the costs of fraud resulting from breaches.

For its part, the ABA believes Congress should pass data-security legislation that holds retailers and others to high, uniform, nationwide standards for safeguarding sensitive customer information, just as banks have long had a similar obligation to protect their customers’ sensitive financial information. The ABA is also advocating that those responsible for data breaches should be responsible for their costs.

For its part, Target admitted it didn’t read the signs of a potential problem in December.

Just a few days before Christmas, Target disclosed that a data breach compromised 40 million credit and debit card accounts between Nov. 27 and Dec. 15. A few weeks later, the retailer said hackers also stole personal information — including names, phone numbers, and e-mail and mailing addresses — from as many as 70 million customers.

“Like any large company, each week at Target there are a vast number of technical events that take place and are logged,” said company spokeswoman Molly Snyder in a statement soon after the incident. “Through our investigation, we learned, after these criminals entered our network, a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon. Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow-up. With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different.”

According to Target, hackers broke into its network by infiltrating a vendor’s computers. Then the criminals installed malicious software in the checkout system for some 1,800 Target stores across the U.S. The sheer scope of the crime could eventually surpass the 90 million customer records compromised in 2007 when thieves stole data from T.J. Maxx, Marshalls, and HomeGoods stores.

Target’s chief information officer, Beth Jacob, resigned recently, and the store said it is overhauling some of its divisions that handle security and technology. It is also accelerating a $100 million plan to roll out chip-based credit-card technology, which it claims is more secure than traditional magnetic-stripe cards.

Far-reaching Problem

The data-breach issue extends far beyond a major retailer or two, and is an irksome one for banks. The Identity Theft Resource Center reported more than 600 consumer data breaches in 2013 — a 30% increase over 2012.

Reuter testified that banks receive pennies for each dollar of fraud losses and other costs they incur in protecting their customers from fraud, and that, while banks bear more than 60% of reported fraud losses, they have accounted for less than 8% of reported breaches since 2005.

Data breaches can fall into two categories: unintentional and intentional. An unintentional breach — often due to the negligence of an employee who mishandles or inadvertently exposes data — does not always lead to fraud.

Intentional breaches occur when data is accessed, viewed, stolen, or used by someone who is not authorized to do so — in many cases, criminals who target the company in an attempt to steal consumers’ personal and financial information, either to use it to commit fraud or to sell it to others. This often leads to new financial accounts in the victims’ names, counterfeit cards, and phishing scams.

Debit-card fraud accounted for 54% of industry loss, followed by check fraud at 37%, and online banking and electronic transactions at 9%, according to the ABA. Typically, Reuter said, when fraud occurs or is likely to, banks will close the account, eat the loss, and reissue the card. Meanwhile, banks stopped $9 out of every $10 of attempted deposit-account fraud in 2012, according to the ABA’s 2013 Deposit Account Fraud Survey Report.

“Financial fraud, including identity fraud, is a very real risk that must be taken seriously,” writes Frank Keating, ABA president and CEO. “The best way to contend with financial fraud is to prevent it from ever happening in the first place. Banks use sophisticated technology and monitoring techniques, intricate firewalls, and other methods of securing customer data, but there are steps consumers must take as well.”

The ABA offers a number of tips to help consumers protect themselves from becoming victims of financial fraud:

• Don’t provide your Social Security number or account information to anyone who contacts you online or over the phone. Protect your PINs and passwords and do not share them with anyone. Use a combination of letters and numbers for your passwords and change them periodically. Do not reveal sensitive or personal information on social-networking sites.

• Shred sensitive papers, including receipts, bank statements, and unused credit-card offers before throwing them away, and keep an eye out for missing mail from creditors.

• Consider enrolling in online banking to reduce the likelihood of paper statements being stolen. Monitor your online accounts regularly for fraudulent transactions. Sign up for text or e-mail alerts from your bank for certain types of transactions, such as online purchases or transactions of more than $500.

• Order a free copy of your credit report every four months from one of the three credit reporting agencies.

• Make sure the virus-protection software on your computer is active and up to date. When conducting business online, make sure your browser’s padlock or key icon is active. Also look for an ‘s’ after the ‘http’ to be sure the website is secure.
For mobile devices, use the passcode lock, which will make it more difficult for thieves to access your information if your device is lost or stolen.

Everyone’s Business

Stronger vigilance by all parties — retailers, banks, and consumers — will make a dent in the incidence of data theft, Reuter said, although it won’t stop all of it, which is why the ABA continues to press Congress on the issue.

“Banks, retailers, processors, and all other participants in the payment system must share the responsibility of keeping the system secure, reliable, and functioning in order to preserve customer trust,” Reuter testified.

“That responsibility should not fall predominantly on the financial-services sector,” he added. “Banks are committed to doing their share, but cannot be the sole bearer of that responsibility. Policymakers, card networks, and all industry participants have a vital role to play in addressing the regulatory gaps that exist in our payment system, and we stand ready to assist in that effort.” n

Joseph Bednar can be reached at [email protected]