Skip to content

Cyber Insecurity Part 2– Time to hit hacker enablers where it hurts?

October 14, 2014

How many times have you had to replace your credit or debit cards this year? Get ready to do it again.

On October 10, headlines and breaking news stories appeared warning of still another massive data security breach, this one at Kmart, a retailer catering to a wide variety of  middle to low-income consumers. The company says it did not affect online or Sears store customers.

As a subsidiary of Sears Holding Company, Kmart typically pitches its product lines to people that can even less afford to lose money than most.

As required by law, Kmart filed a section 8K SEC notification, which detailed the breach, on October 9, 2014 and stated that it had occurred in early September.

Several news outlets reported the story, but one fact apparent in the copy of the SEC filing was glossed over.

Some reports, including one report on the website that  included wording from the statement taken directly from the SEC notice that the breach had overwhelmed the company’s security software,  somehow failed to include the other telling statement contained in the report.

That statement was as follows: ” Kmart is deploying further advanced software to protect customers’ information”  That would indicate that better software is available.

At least since the Target breach last year, any company that has access to a higher quality security software and fails to implement it should probably have to do a bit more than offer credit monitoring.

So, what’s being done about it?

There is hardly any shortage of law firms filing suits against individual retailers. Two credit unions, one in New York and one in Pennsylvania, are reported to have filed suits in Atlanta federal court against Atlanta-based Home Depot, and are seeking to have the suits elevated to class action status.

Other suits have been filed against Neiman Marcus and Target, and VISA® was reportedly  sued in 2013 over $13 million in  “fines” it imposed on sporting goods apparel retailer Genesco when that company’s POS terminals were compromised.

On October 2, 2014, the Retail Industry Leaders Association (RILA)  the trade association that represents many of the largest retailers, hosted a presentation on cyber security presented in honor of National Cyber Security Month (who knew there was a whole month being dedicated to observing cyber security?). Interestingly, the immediate past chairman of RILA is one Gregg Steinhafel,  President & Chief Executive Officer of Target Corporation.

As usual at this sort of thing, a lot of hot air was expended cautioning members to be more vigilant and encouraging collaboration. Wow.

You’d think Mr. Steinhafel might do more than line up a speaker for the annual RILA convention.

The Federal government seems to want you to think they take take cyber security very seriously, if you place any credence in the President’s remarks  at a fundraiser last Tuesday.

Still, actions speak louder than words  and judging from all the reporting on the total lack of security on the ACA website, there isn’t much action. The FBI Director makes a point of saying that most of the hackers are in countries where we can’t prosecute them.

It’s counterproductive and a waste of resources to sue each retailer or bank or credit card processor because there was a breach, and just issuing new cards works until you use the card for the first time, if you are unlucky enough to use it where there is a breach in progress, which according to the FBI is potentially every large company in the country.

After each one of these breaches there’s a little flurry of media interest, a lot of people have to get new plastic, and that’s about the size of the response.

That is not good enough.

Given all the reporting on so many scandals, incompetence, crises, and oh yes, the elections, it isn’t too hard to see why this hasn’t yet taken on the importance of a national emergency, despite the President’s remarks.

Government in general, and this administration in particular, doesn’t seem to attach importance to anything until it becomes a BFD with the public.

It’s time to make it a BFD.

There has been considerable reporting that the reason cards get hacked is because both banks and businesses say it’s too expensive to upgrade.

Compared to what? Shutting down their businesses?

Granted, there are a lot of ways for criminals to get into computer systems, but not upgrading to the most effective security software and payment methods makes it a lot easier than it needs to be for the bad guys to win.

As inconvenient as it would be, perhaps there should be a mandatory shutdown period for businesses that are not taking consumer information protection seriously. Shut down a business and suspend trading on their stock if they are publicly traded for a week, and you can bet the board of directors will notice.

Then there is the government itself. Suppose the Social Security Administration or the IRS gets hacked down to the consumer level. It’s happened at state and city levels already.

And that doesn’t even take into consideration our energy grids, military and other systems that relate to national defense. Defending those seems pretty important too, but that gets into the realm of global politics, a topic for another time.

The only time in recent memory that the administration has altered course even optically is when there is a sufficient public reaction to get their attention. Given that the midterms are in less than 30 days, the timing might be a little off right now. By early  December at the latest, we’ll know what the balance of power will be for the next two years.

This administration is really good at throwing in the towel before they even get into the ring. We don’t hear any official do much more than wring their hands and tell us what they can’t or won’t do.

However, right after November 4th, the presidential campaigns will kick off in earnest and the newly elected legislators will be out to make a name for themselves.  Assuming we haven’t arrested or otherwise disposed of all the hackers and cyber criminals by then, a public outcry could have legs at that time.

Right is not necessarily might, but consumers making a BFD of this and becoming a voter base of their own has the potential to have a real effect.

From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: