Coming Soon to a Theater Near You!
Data security breaches have been a frequent topic not only of RSR’s Retail Paradox Weekly, but of just about every technology blog, news aggregator, and traditional news channel extent in the U.S., and quite possibly most of the world. Just to give you an idea, I googled “data security breach “ to prep for this article, and got 47,800,000 hits. How about “credit card breach “? 29,900,000 hits. You get the picture.
So clearly a lot is being written on the subject, and for good reason: data breaches are increasingly common. The website thinkprogress.com, listed ” The 9 Biggest Privacy And Security Breaches That Rocked 2013 “:
- “Social media giants Facebook, LinkedIn, among others, get…hacked…repeatedly… nearly 2 million accounts at Facebook, Google, Yahoo, LinkedIn, Twitter and 93,000 other websites. “
- “Nearly 40 million Target customers’ credit and debit card numbers were stolen in midst of holiday shopping rush. “
- “Hacker group Anonymous target<ed> Twitter accounts…The breach compromised 250,000 user emails and passwords, following two similar attacks involving The New York Times and Wall Street Journal computer networks late January. “
- “In the October breach, Adobe reported that 3 million customers’ credit card information was stolen. A source code leak also exposed almost 40 million user emails and passwords…. “
- “System bug exposes 6 million Facebook users’ personal data in yearlong breach. “
- “Upwards of 50 million LivingSocial user emails and password <were> stolen. “
- “Evernote <reset> about 50 million account passwords after data breach. “
- “The U.S. Department of Homeland Security finally corrected a four-year error in the software it uses to process employees’ background checks…Social Security numbers, birth dates and names were unprotected due to the third-party software vulnerability. “
- “Federal Reserve Bank website hacked by Anonymous. “
And that was just last year.
This year, we’ve got the Heartbleed web security “vulnerability “, which reached the #3 top “hot Google searches ” on April 8th. It’s a fair assumption that the subject of data security has caught the public’s attention.
But the one that really got the retail industry’s attention was the Target breach in 2013, because it can be argued that it destroyed the company’s 4th Quarter. Initially, the consensus opinion was that, like the TJX breach in 2007, people would express alarm, a bunch of IT’ers would be thrown under the bus, the company would pay a fine and plug the leak, and we’d be situation-normal in no time at all. But that’s not exactly what happened, as the entire industry now knows. Given the climate of distrust and anxiety around the world today (in the wake of all the news about how we have lost an semblance of privacy in this always-connected world), the buying public slammed Target hard, and popular media was only too happy to feed the paranoia.
But… A Movie?
Given all of the above, I suppose we shouldn’t be too surprised that Sony Pictures announced in March that it is working on a movie based on Brian Krebs, an independent cyber security analyst who exposed the Target breach (RSR reached out to Mr. Krebs for this column, but received no response). A screenplay writer, Richard Wenk (The Equalizer, The Expendables 2, The Mechanic) has been assigned to the job, although no production schedule has been set yet.
Movie or not, Krebs’ blog is an interesting (and alarming) serial whodunit about cybercrime and cybercriminals. For example, in his December 2013 edition, Krebs uncovered the identity of the proprietor of the online fraud shop:
“Rescator[dot]la is run by a miscreant who uses the nickname Rescator, and who is a top member of <an> Russian and English language crime forum… He operates multiple online stores that sell stolen card data… Rescator also maintains a presence on several other carding forums…. “
Required Reading
The Krebs On Security blog has become almost required reading for IT data security analysts, and with good reason. The information is timely and thorough, but written in clear enough language that someone with a layman’s understanding of how the web works can understand. The question is, why does he do it? A 2/16/2014 NY Times article reported that because of his efforts, Krebs is the frequent recipient of unwanted attention from the most dangerous people lurking in the dark recesses of the web. But his motivation appears straightforward: someone had to do it.
According to the NY Times piece: “His obsession with hackers kicked in when he was just another victim. In 2001, a computer worm — a malicious software program that can spread quickly — locked him out of his home computer. ‘It felt like someone had broken into my home,’ Mr. Krebs recalled in an interview. He started looking into it. And he kept looking, learning about spam, computer worms and the underground industry behind it. Eventually, his anger and curiosity turned into a full-time beat at The (Washington) Post and then on his own blog. ‘I realized that if security breaks down, the technology breaks down,’ Mr. Krebs said. “
Much More than Payment Data
The retail industry has kicked into action because of the Target breach, but the focus is largely on payment data. Krebs is focused much more broadly, on the security of the web itself. And this is important for retailers, because although gaining access to consumer’s payment information is the shortest, most direct path to stealing money from them, it’s not the only path. Take for example Krebs’ reporting on the October 2013 breach by Experian, the personal credit rating bureau:
“An identity theft service that sold Social Security and drivers license numbers — as well as bank account and credit card data on millions of Americans — purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity… In March 2012, Court Ventures was purchased by Costa Mesa, Calif.-based Experian, one of the three major consumer credit bureaus… the proprietors of Superget.info (the underground ID Theft service involved) had gained access to Experian’s databases by posing as a U.S.-based private investigator… the individuals apparently responsible for running Superget.info were based in Vietnam. “
Don’t Wait for the Movie
The retail industry needs a safe and secure web in order to meet the demands of today’s digitally empowered consumers. As the Sunday 4/13 Washington Post editorial board wrote (about the Heartbleed vulnerability), “… this ought to be a wake-up call, but we have already had so many wake-up calls. To put it bluntly: As a country and as a society, we have come to depend on a vast, interconnected system; if one small part fails, the impact is widespread. “
While Krebs is fast becoming a lightning rod for growing public concern about cybercrime, what’s happening is not some fictional cops’n’robber story. And so the recent well-publicized hacks are a wake-up call for the retail industry too – and any other industry whose future assumes always-on ubiquitous connectivity between consumers and providers. It’s not enough for government and industry to respond only after the general public gets in a fever about the issue – a little more pro-action is needed.
So, don’t wait for the movie before doing something. Write your congressman, the trade associations, your president or prime minister. Our businesses depend on it. Oh, and bookmark Krebs On Security.