Localizing the spreading consumer data breach story

by January 13, 2014

The story merchants wish would go away actually just got bigger, with Target admitting that far more customers than earlier reported had been victims of its data breach, and as CNBC reports, it’s still a mystery as to exactly what database was hacked, since information not encoded onto debit and credit cards, like e-mail addresses, also appears to have been stolen.

Neiman Marcus Target data breaches And now, the posh patrons of Neiman Marcus are nervously checking their accounts as well.  And Reuters is reporting that as-yet-unnamed stores experienced hacking, so expect more headlines this week.

It’s interesting, by the way, that the stores themselves are being portrayed as “victims” in headlines, like this one on CBS Moneywatch.  One would think the corporations entrusted with sensitive financial data would be identified as “negligent,” when they fail to protect that data.  I imagine that is how consumers see it.

And as the stories mount, even the most blasé, tech-comfy shopper must be having at least a few second thoughts about her use of plastic and online shopping accounts, as well as other avenues where her data can be used against her.  So you might want to continue looking for consumer, personal finance and local angles to the topics of identity theft, cybersecurity, privacy and data mining.

For example, check with area law firms — has any local party started to gin up a lawsuit against Target, a bank or any other retailer?  Are credit counseling agencies getting lots of calls from people unsure of how to monitor their accounts?  Are local stores, restaurants, etc. seeing more cash transactions than usual — and if so, are ATM operators stocking more paper currency, or are banks and credit unions seeing more cash withdrawals?  What are some of the other ripple effects of a big data breach?  (Also, keep in mind the “Who benefits?” maxim – are local stores licking their chops about the chance to portray themselves as the safe alternative to those scary national chains?)

It’s difficult to localize these complex topics, especially if your region lacks the headquarters of a major player (or potential player) and if you don’t follow computer security on a daily basis; the subject matter is highly technical and boiling it down quickly and accurately is a daunting task.  Obviously you can contact local and regional companies – banks and credit unions, retailers, restaurants, etc. – and ask for interviews with the manager responsible for their cybersecurity.

How to get beyond reassuring platitudes is the problem, but at least you can get them on the record about any current and planned consumer protection infrastructure.   And what are local credit-card issuers doing for consumers; here’s a story from the StPeterHerald.com, for example, about how area banks are identifying Target shoppers and offering them options to protect their accounts.  Now, as more retailers apparently are being identified, how will banks and credit unions address that?

You might want to seek out cybersecurity firms in your area and ask them to talk about current problems and trends in the industry, and how consumers can help to protect themselves.   You might come across some profile-worthy business, career and technology angles, as well.  How does one prepare to be a cybersecurity expert, for example – clearly demand is only going to rise for this particular specialty.

To find them, ask companies on your beat whom they employ, and check with the computer science departments at area universities; they’ll probably know the top players.  You can find companies via a Google search, too, and through professional groups like the Information Systems Security Association – they have a web conference coming up later this month, “Security Reflections of 2013 and Predictions for 2014,” – talk about a timely title and you can imagine the dialogue will be buzzing now; you might ask the association for permission to tune it.  It looks like the ISSA has a robust roster of local chapters too.

A little background reading to help you formulate questions:

Here’s an interesting post on the Krebs On Security blog (which I recommend subscribing to; it’s written by a Washington Post reporter turned computer security expert) about the notion of holding software makers financially responsible for vulnerabilities in their products.  Krebs discusses the idea of  a ‘bug bounty’ that companies would pay to people who can demonstrate those product glitches; right now, he says, the bounties offered can’t compete with the black market for stolen data so perhaps upping bounties would be a cost-effective way to prevent cyber crime and the huge associated costs, both direct and indirect.  (Think of the lost sales Target experienced due to its hacking; seems like that’ll be the tip of the iceberg if tech-shy consumers rein in the use of credit and debit accounts – not to mention the class action lawsuits, possible fines, lost productivity at Target headquarters and the expenses of revamping its financial and other systems.)

Here’s a look at the “Top six data breach trends for 2014,” by SecurityInfoWatch.com – healthcare breaches and the problems associated with cloud computing are two areas I’ve been wondering about, and they’re both among these top trends.

Computerworld is also worth a daily review.