The holiday buying season is upon us once again. Another event that has arrived along with the buying season is the season of big box retailer data breaches.
A year ago, the Target breach made national headlines, followed shortly thereafter by a breach at Home Depot. Both breaches got a lot of attention, primarily because the number of bank cards affected was so high—more than 70 million debit and credit card numbers exposed in the case of Target and 56 million exposed at Home Depot.
Luckily, very little fraudulent activity occurred on the stolen card numbers, primarily because the breaches were caught fairly soon, making them relatively minor incidents in the scheme of things, compared with other breaches that have occurred over the years that resulted in losses of millions of dollars. The Target breach was notable for one other reason, however: when it came to security, the company did many things right, such as encrypting its card data and installing a multi-million-dollar state-of-the-art monitoring system not long before the breach occurred. But although the system worked exactly as designed, detecting and alerting workers when it appeared that sensitive data was being exfiltrated from its network, workers failed to act on these alerts to prevent data from being stolen.
Below, we look back on a decade of notable breaches, many of which happened despite the establishment of Payment Card Industry security standards that are supposed to protect cardholder data and lessen the chance that it will be stolen or be useful to criminals even when it’s nabbed.
The PCI security standard (.pdf) which went into effect in 2005, is a list of requirements — such as installing a firewall and anti-virus software, changing vendor default passwords, encrypting data in transit (but only if it crosses a public network) — that companies processing credit or debit card payments are required by card companies to have in place. Companies are required to obtain regular third-party security audits from an approved assessor to certify ongoing compliance. But nearly every company that was victim to a card breach was certified as compliant to the PCI security standard at the time of the breach, only to be found noncompliant in a post-breach assessment.
10. CardSystems Solutions – 40 million cards: CardSystems Solutions, a now-defunct card processing company in Arizona, holds the distinction of being the first major business to be breached following the passage of California’s breach notification law in 2002 — the first law in the nation requiring businesses to tell customers when their sensitive data has been stolen. The intruders placed a malicious script on the company’s network that was designed to sniff for card transaction data, resulting in the names, card numbers and security codes of some 40 million debit and credit cards being exposed to the hackers. CardSystems was storing unencrypted transaction data, after transactions were completed, in violation of the PCI security standard. The company was certified PCI compliant in June 2004 and discovered it had been breached in May 2005.
9. TJX – 94 million cards TJX was just one of more than a dozen retailers hacked by Albert Gonzalez and a team of cohorts, including two Russian hackers. They breached the TJX network in 2007 through war-dialing — a practice that involves driving by businesses and offices with an antenna hooked to a laptop with special software to suss out wireless networks. From TJX’s wireless network, they burrowed their way into the company’s card processing network, which was transmitting card data unencrypted. The initial breach occurred in July 2005 but wasn’t discovered until December 2006. Additional breaches occurred later in 2005, 2006 and even in mid-January 2007, after the initial had been discovered. The breach cost the company about $256 million.