Why The Home Depot Breach Is Worse Than You Think

A Forbes report throws interesting insights into the data breaches we have been witnessing, regularly.

A few weeks ago, my wife and I discovered that our credit card number was stolen. How? She got flowers.

Yes, flowers. A dozen red roses arrived for her one day. This was a true mystery. I don’t normally send flowers to my wife – a practice I’ve been recently reminded to change. Our kids are broke and would never send her flowers unless it was a very special occasion. She’s not, to my knowledge, having an affair (she works full time and who has the energy to do these things nowadays anyway?).  Our only clue was the card that accompanied the flowers and which had just one word on it: “Happy!” We were baffled. Who would do such a thing? Well, soon enough the mystery was solved. And we certainly found out why the sender was so happy.

That’s because just a few days later our credit card was declined. When we called up MasterCard MA -0.16% we were told that their computers had picked up a few suspected fraudulent transactions on my wife’s card. More than just a few it turned out. In fact, there were about fifty purchases made with our card for things we never knew about or authorized. And yup – one of them was for a dozen red roses at a local florist. For almost two hours, my wife went through each and every transaction with the MasterCard agent (who was great, by the way). We are still receiving daily updates and information about the charges. We were without our cards for a few days until new ones were sent. And now the “your card was declined” emails from online vendors that we use are starting to trickle in.

Version of an image of a credit card

All of this is an annoyance, but a not a financial calamity. MasterCard, like most credit card services, is pretty good with their consumer/customers. They’ve waived any charges, are investigating the crime (yeah, good luck with that) and are not holding us responsible. Looking back, we’re only guessing that the breach was related to Target TGT +0.16%, because there’s an awesome Target store near us that we frequently use. A few months ago Target admitted that they were hacked, losing millions of card numbers which likely included ours. At the time it was even bigger than the breaches suffered by eBay EBAY -0.53% and Michaels’ Stores earlier this year. But then just this past week Home Depot disclosed a potential loss of 56 million credit card numbers. 56 million!. Think about that – it’s more than the entire population of Spain and is, to date, the biggest credit card security breach ever. We shop at eBay, Michaels, Target andHome Depot HD 0%. Oh no.

But hey, big deal, right? If and when those numbers are sold off those unsuspecting victims – customers of these retailers, will probably suffer the same fate as us. A little inconvenience. Acceptance of liability by the credit card company. Maybe, just maybe, a dozen red roses with a card that says “Happy!” We’re not paying for it, so no big deal.

Well, it’s worse than you think.  It is a big deal.

It’s a big deal for the fifty or so vendors on my credit card, many of them mostly small merchants like my local florist who shipped out products and may never get paid. As one report summarizes“As soon as the fraud is identified, the credit card company seals the cardholder’s cash and if the merchant is unable to prove the authenticity, the cash is debited from their accounts. The chargeback money is the fee that the merchant has to pay for letting the thieves use the stolen cards. The higher the number of chargeback fee, the higher will be the chances of specific vendor of losing the ability to accept certain credit cards.  These costs keep on adding up. LexisNexis published a survey according to which in 2013, an average merchant lost about .68 percent of annual income to fraud. A merchant has to pay around $3.08 on each dollar to replace the losses, penalties and chargeback fees.”

What’s the florist to do? Raise prices to cover this cost if it continues to occur? Be a pariah and never accept credit cards? Spend for even more insurance and then suffer premium increases every time she files a claim? It hits her profits and she’s defenseless. 56 million stolen credit cards from Home Depot alone means that there could be hundreds of millions of fraudulent transactions that would occur with as many small and medium sized companies who are already running on tight profit margins and not enough cash flow. In a slow economy. Big companies can absorb losses, establish reserves, raise prices. Small businesses, including mine, have less resources and flexibility. We are exposed – more exposed to this problem than anyone else.

And even if you don’t run a small business you’ll still be impacted. That’s because it’s only a matter of time before credit card companies like Visa V +0.41%and MasterCard will stop absorbing the lion’s share of these costs start coming down harder on their customers. Is it entirely their fault that the security “experts” at Target and Home Depot allowed themselves to be hacked, which is what is causing this mess? Shouldn’t these liabilities be shared more equitably? Financial service firms do have deep pockets, but their resources are not unlimited. If these breaches continue to occur, look for them to share the costs not only with those companies that allow themselves to be hacked, but by raising fees to their customers (yes, you and I) to cover these rising expenses. We all lose.

But the biggest loser of all? Yeah, that’s me. Just because some jerk got hold of our credit card and sent a dozen red roses to my wife she’s now reminded what a negligent husband I am because I rarely send her flowers. Thanks guys, really appreciate it.

Besides Forbes, Gene Marks writes daily for the New York Times and weekly for Inc.com.

Schunuck reveals more information on card data breach

Schnuck Markets Inc., has been under fire since late last month when reports of unauthorized card use started emerging, with customers seeing charges ranging from a couple of dollars to thousands. These breaches can costs companies millions in investigative and legal bills, lost business and fines.

Sunday’s statement from the company is the first to reveal the extent of the breach. As many as 2.4 million credit and debit cards used at 79 Schnuck stores may have been compromised over a three-month period, leading to widespread fraudulent charges at locations around the globe, the company said Sunday.

“On behalf of myself, the Schnuck family and all of our 15,000 teammates, I apologize to everyone affected by this incident,” said Scott Schnuck, in a written statement. “Over the years, technology has helped us deliver superior customer service, but it also introduces risks that we have actively worked to manage through compliance audits, encryption technology and various other security measures.”

Payment card companies impose “stringent rules” and insist that  any merchant that accepts credit cards is required to adhere to industry standards for data security, including annual audits.  Schnuck says it underwent such an audit in November last year and passed.

However, it is debatable how “stringent” are the rules imposed by PCI and whether they are sufficient enough to foil the increasingly sophisticated hacker attacks targeted at stealing data. Experts said the problem is so great that the data security industry is scrambling to get ahead of hackers — and, in many cases, the hackers are winning.

Unfortunately, smaller businesses and  local retail stores chains are, increasingly, becoming targets for hackers because they’re perceived as having weaker security systems. An Arizona-based grocery chain, similar in size to Schnuck, was hacked in February.

Some interesting data breaches and simple lessons we have not learned!!

 

Data breach – the word may ring alarm bells in the minds of some people – thanks to the series of penalties imposed by the regulatory bodies and heightened awareness created by the media. However, on a deep analysis, many of these breaches are result of some careless and casual decisions of a low level employee. One simple but effective solution – education and awareness. Unfortunately, information security awareness training is not able to achieve desired results and data breaches continue.

Let us have a look into some of the data breaches of first week of February 2013, in courtesy of the Privacy Rights Clearinghouse.

February 7, 2013 A simple data encryption could have saved your day.
Hackers were able to access customer credit card information stored on computer servers. The cyber attack affected customers who made purchases on www.thorlo.com between November 14, 2012 and January 22, 2013. Credit card numbers, credit card expiration dates, credit card security codes, names, and contact information were exposed.

February 7, 2013 If you’re sending mass e-mails, hide the recipient list. Please..

Schneider-Electric A vendor’s mailing error resulted in the exposure of employee Social Security numbers. Call for Candidacy letters were mailed sometime around January 16 that had Social Security numbers, names, and addresses visible through the address window of the letter.

February 7, 2013 Data encryption, encryption, encryption !!!

Wayne Memorial Hospital An unencrypted disc that contained patient information was lost in transit. The disc had names, Medicare account numbers, and outstanding account balances from patients who visited the Honesdale hospital between 2007 and 2012. A legal envelope that contained the disc was mailed on November 28 and arrived at Novitas Solutions in Pittsburgh in a cardboard box without the disc.

February 3, 2013 Not just storage and custody, ensure safe disposal.
River Falls Medical Clinic River Falls Medical Clinic officials reported a burglary during the summer of 2012. The equipment and paper documents that were stolen were recovered by police on November 28. An employee of a cleaning service that subcontracted with the Clinic is the main suspect. The items were found in the employee’s home and he was charged with felonies associated with theft and drug possession. It is believed that the documents were intended to be shredded. They contained patient names, dates of birth, patient account and billing account information, diagnosis codes, insurance information, account numbers, medical chart numbers, and scheduling information. An unspecified number of patients also had their Social Security numbers, home addresses, and phone numbers exposed.

February 1, 2013 Watch out what you are sending in your email.

Antioch Unified School District A document with sensitive Worker’s Compensation claim information was accidentally sent out with an email to a limited number of Antioch Unified School District employees. Social Security numbers and other information related to current and former employees that reported injuries were exposed. The incident occurred on January 18 and people who received the email were instructed to remove and destroy any saved information contain in the email. Those who received the email were also instructed to provide written verification that they had removed and destroyed the information.

February 1, 2013 Take care of your trash bins too!!

Tallahassee Memorial HealthCare A former Tallahassee Memorial HealthCare food service employee was indicted on 31 counts of filing false tax returns, wire fraud, false claims, and aggravated identity theft. He and two others are believed to have participated in a conspiracy that led to $818,000 in fraudulent claims. The employee worked for Tallahassee Memorial HealthCare for three years. He gathered patient names and dates of birth from food tray receipts when he delivered food to the rooms of patients in August of 2011 and stole emergency room data sheets from the trash. The information was then passed to the two others who participated in the conspiracy.

February 1, 2013 How many copies of your data is available and WHERE?

Central Laborers’ Pension Fund, Central Laborers’ Welfare Fund, Central Laborers’ Annuity Fund, Illinois A home burglary resulted in the theft of a CD that contained the information of over 30,000 beneficiaries. The CD contained names, Social Security numbers, and dates of birth and was taken from the home of an accountant at an unnamed counting firm. The three funds sued the accounting firm for $200,000 to cover the cost of credit monitoring and insurance.