Fraud Patterns Suggest New BreachesTarget, Neiman Marcus Investigations Heat Up
Investigations and lawsuits are piling up for breached retailers Target Corp. and Neiman Marcus. And card-issuing banks now say fraud patterns may reveal additional breaches at other well-known brands.
See Also: The Global State of Online Digital Trust
BankInfoSecurity on Jan. 15 spoke with a handful of executives from U.S. card issuers who said the card-fraud trails suggest that a leading hotel company and a restaurant chain also may have been breached. Whether those potential compromises are linked to Target and Neiman Marcus is unknown, they say.
Target CEO Gregg Steinhafel confirmed earlier this week in a CNBC interview that the breach was caused by malware attached to point-of-sale devices at Target stores. Security experts speculate that the same type of malware was used in the Neiman Marcus attacks and could be linked to additional retail breaches that have yet to be disclosed.
In the weeks and months to come, these breaches are expected to be catalysts not just for legal actions, but for new debate about the changes needed to the vulnerable U.S. payments infrastructure, as well as the payments instruments that are used.
Re-issued Cards, Investigations
While there are no updates directly from Target, Neiman Marcus or any other entity that may have been breached, there is plenty of news about the incidents.
JPMorgan Chase on Jan. 14 confirmed that it is reissuing 2 million payment cards linked to the Target breach, which is estimated to affect as many as 40 million U.S. debit and credit cards plus 70 million customers' personal information. And The New York Times on Jan. 15 reported that Citibank also plans to reissue all customer debit cards affected by the breach. Other major institutions say they are reissuing "at-risk" cards, but have not disclosed the quantities. p>
Meanwhile, states' attorneys general and banking institutions have launched a series of investigations and lawsuits linked to the breaches.
So far, Connecticut Attorney General George Jepsen and Illinois Attorney General Lisa Madigan have announced they are reviewing the Neiman Marcus breach. Both states have already launched investigations into the Target breach, as have AGs in Florida, Iowa, Massachusetts and Pennsylvania, according to Bloomberg News.
"To the extent that we become aware of breaches at other retailers, we will be looking those as well," Jaclyn Falkowski, a spokeswoman for Jepsen's office, told Bloomberg.
Bloomberg also reports that the Indiana Attorney General is investigating Neiman Marcus' breach to determine harm to Indiana consumers.
On Jan. 13, Connecticut-based Putnam Bank filed a class action suit against Target at a district court in Minnesota, claiming Target's delay in notifying consumers of the breach cost U.S. banking institutions significant losses associated with card alerts and the issuance of replacement cards.
Putnam is asking the court to award it damages for Target's alleged negligence and is seeking to represent all banking institutions that have suffered similar losses because of the retailer's breach. Putnam claims Target breached its contract when it failed to comply with operating rules and regulations stipulated by the card brands for governing and protecting customer cardholder data.
'Tip of the Iceberg'
Experts say these latest legal actions are just the proverbial tip of the iceberg.
"Financial institutions are looking to recover their out-of-pocket losses, and this is why we will see more lawsuits," says Beth Diamond of Beazley Breach Response, a cyber-insurance and risk mitigation provider.
Still, cybersecurity attorney David Navetta, a partner at the Information Law Group, says it's unlikely that larger banking institutions will jump on the class-action bandwagon.
"They don't want to create case law that someday could be used against them, when they happen to be the merchant bank for a big breach," he says. "There may be some more bank suits, but I expect that most of the issuing banks and credit unions will tap into the card brands' fraud and operating assessment procedures" for reimbursement associated with fraud losses.
Fixing the Flaws
Beazley's Diamond says banking institutions are doing what they can to reduce fraud losses, but that they, too, are victims of these latest retail breaches. "They have little control over the retailers or the payment processors, but they are likely the ones to first identify the breaches," he says.
The banks also are at the forefront of the discussion about upgrading the entire U.S. payments infrastructure - from vulnerable point-of-sale systems to outdated magnetic-stripe payment card technology.
It's a debate that institutions take seriously, says Steve Kenneally, vice president of the American Banking Association's Center for Regulatory Compliance and Financial Policy and Regulatory Affairs. On behalf of its member institutions, the ABA is calling for greater security and accountability throughout the U.S. payments system.
"Banks are highly regulated," Kenneally says. "They have requirements they have to meet, and they are examined regularly by the agencies to make sure they are following the regulations. On the flip side, it's a lot less clear what regulations and rules and standards [merchants] have to follow and who's checking to see that they're actually doing it."
Target, Neiman Marcus Respond
Amidst this swirl of activity, public response from Target and Neiman Marcus is a study of contrasts.
Target, since acknowledging its breach on Dec. 18, has turned the incident into a call-to-action for stronger card and payments security. Target has dedicated a resource center on its Bullseye View website to updates about the breach investigation, as well as credit monitoring it's offering to consumers. And on Jan. 13, Target announced plans to provide $5 million to support a new cybersecurity coalition that will educate the public on the dangers of cybercrime and phishing scams.
Neiman Marcus, meanwhile, has issued no updates since its initial Jan. 11 statements and Twitter posts, acknowledging the breach. As of Jan. 16, there is no announcement of the breach on the Neiman Marcus consumer or corporate websites, and the retailer has issued no formal press releases about the incident and subsequent investigation.
The only news comes from the Neiman Marcus Facebook page, where on Jan. 15, in response to a customer's query, the retailer addressed the breach.
"We have been assured that we have enhanced our credit security, and that we are taking very significant steps to contain this situation," the post reads. "As is the case whenever criminals attack credit information, the best thing you can do is monitor your credit cards for fraudulent activity."
Both Target and Neiman Marcus declined BankInfoSecurity's requests for interviews to discuss the breaches.