News of the second Kmart credit-card breach in three years at the retailer and the number of breaches at financial institutions doubling this year over the same period 2016 should raise concerns.
In the second of two-articles, security experts provide strategies to credit unions and businesses to protect credit card data.
Last week, Sears Holdings, the parent company of Kmart, confirmed it experienced another malware-based data breach of its card processing systems, which were infected with a form of malicious code, The company did not reveal how many of its 735 Kmart locations saw signs of a breach.
Meanwhile as of May 30, the total number of breaches in the U.S. captured in the 2017 ITRC Breach Report from the San Diego-based Identity Theft Resource Center now totals 698, an increase of 35.3% over last year’s record pace (516) for the same time period.
Of that total, 36 incidents took place at financial institutions, twice as many as last year for the same period and affected a reported 520,000 records. Almost all FI breaches did not report the number records exposed.
The ITRC 2017 Breach Report five industry sectors break down still reveals business way in front at 55.9%, followed by medical/healthcare, 21.6%, educational, 11.9%, government, 5.4% and banking/credit/financial, 5.2%.
Of course, any incident, if they included payment information, could also touch credit union cardholders.
“Members are becoming somewhat immune to the reporting of new data breaches because they are becoming a part of everyday news,” Ashley McAlpine, fraud prevention manager for Rancho Cucamonga, Calif.-based CO-OP Financial Services observed. “Having a cardholder education program can be instrumental in keeping members attention on new breaches or innovative techniques fraudsters are utilizing.”
Rebecca Herold, president of the Des Moines, Iowa-based SIMBUS and CEO of The Privacy Professor, listed three risky ways credit unions card breach risk increases:
- Credit unions need to switch to chipped cards instead of the magnetic strip cards if they are still using them.
- Many credit union clients, who are small to mid-sized businesses, use POS devices and systems to collect payments, with poor, and sometimes no, information security or privacy controls in place on their POS network, systems and devices.
- Too many businesses believe their POS vendors have all the security issues they need in places without checking to verify that that they actually do. “This is a very bad, and risky, assumption!”
“Credit unions will potentially be liable and/or subject to significant losses for these types of POS breaches when their cards are involved,” Herold said.
Herold also pointed out malware sometimes gets loaded, through third parties; employees with who fall victim to phishing scams, or malicious insiders who see an opportunity to collect data to sell to others, or to hurt their employer.
“The security of payment card data is still proving to be difficult for some online and bricks-and-mortar retailers,” Robert Capps, authorization strategist, and VP of Vancouver, British Columbia, Canada based NuData Security said. He added, Kmart breach data may not turn up right away, but down the road, personal identifying information when matched with data from other gathered from other incidents can build more complete user profiles. “Adding the layer of behavioral and passive biometrics will make this data much less useful. This breach is a perfect example of why the data being stolen needs to be devalued– if it can’t be used, it won’t be stolen in the first place.”
John Christly, Global CISO, Netsurion, a provider of managed security services for multi-location businesses, and EventTracker, a SIEM company, noted, “All retailers should start by deploying a managed firewall across all locations.” These firewalls monitor payment card processing activity to ensure that malware is not entering, and sensitive data is not exiting, the network. “The latest string of breaches, however, reiterates that multi-location retail security requires a new approach, beyond the minimums of maintaining PCI compliance and implementing a managed firewall.”
