Data breaches were on the rise this year, with no clear indication of slowing down.
Both 2013 and 2014 were dubbed the year of the data breach, indicating that these are becoming the norm rather than isolated incidents. More notable, said Tom Turner, security firm BitSight’s executive vice president of sales, is the scope of the breaches.
“While the volume of data breaches continues to climb year on year, what is more noteworthy about 2014 has been the magnitude of the breaches and the frequency with which third-party vendors have been the source of the breach,” he said in an email to VentureBeat.
Last year, there were 1,367 data breaches in 95 countries, according to Verizon’s annual report. So far this year there have been 720 security breaches in the U.S. alone, according to Identity Theft Center’s weekly report — a nearly 25 percent increase from the same time last year. Some of the most public breaches were Home Depot, in which 56 million credit cards were stolen; Target; JP Morgan Chase; and HSBC in Turkey. Other major retailers that were hacked include Kmart, Sally Beauty, Michaels, Bebe, Godiva, Staples, Neiman Marcus, Goodwill, and Shutterfly. Sony was also recently attacked, yielding a leak of Social Security numbers for 47,000 staff members, among other documents, according to the Wall Street Journal.
It’s unlikely the torrent of hacker attacks will end with the year, said Sami Nassar, general manager of NXP Semiconductors. “I’m a little pessimistic on how we can curb this,” he said. NXP creates the secure element — the chip inside cell phones integral to securing digital wallets like Apple Pay and Google Wallet. He says that insecurity is a result of an infrastructure problem, especially for retailers.
“Banks invest a lot of money into security protection, and retailers don’t make that kind of investment and actually, they can’t afford it — if they were to do it, it would be extremely expensive,” he says. Retailers rely on a lot of legacy hardware — and really, a whole legacy infrastructure — that isn’t particularly well secured. As an example, last week an East Coast supermarket chain suddenly lost use of its point of sale (POS) system because the payment terminals they were using had cryptographic certificates with a 10-year expiration date. When the expiration date came, those terminals shut down. The problem was said to have affected “several thousand terminals,” according to the Krebs Security blog. With the advancements of technological attacks, it seems counterintuitive that major retailers would be working with decade-old technology.
Of course, in some ways that’s set to change in 2015. Next year, retailers will be strongly encouraged by credit card providers to upgrade payment terminals to accept EMV (EuroPay, MasterCard, and Visa) chip cards. The new credit cards eliminate the potential for skimming card data off a reader or hacking a POS for card data, because the retailer receives a randomized token in place of the actual credit card data.
Moving to EMV cards in Europe has already significantly lowered credit card fraud in the region, a FICO report outlines. However, though the banks are shifting accountability onto retailers for fraudulent charges made with a magnetic stripe credit card in October 2015, it still may take retailers a few years to make the change. Also, as Nassar notes, just making the switch to EMV cards will not solve all security vulnerabilities.
“We need to design for security, so from the get-go, when we’re designing anything we have to take the architectural security into consideration so we don’t fall into these traps,” said Nassar.
But again, that’s a hugely expensive undertaking, which means security breaches are likely to increase again next year before hopefully slowing down.