With cyber-data breaches making the news each month, it appears that no industry is immune from the reach of hackers. From major retailers to high-tech leaders and government agencies, cyber security is at the forefront of both technological and global news stories, and it does not seem that this concentration will be changing any time soon.
While cyber-attacks on financial institutions have been declining since 2005 – coinciding with increases in security by banks and financial companies – hacks that specifically target businesses and the payment industry are on the rise. Personal information that has been stolen from payment cards has accounted for nearly half of all data breaches since 2012, and the majority of these incidents have affected individuals and small businesses. Even though these data breaches may grab fewer headlines than those that compromise organizations like Target, the combined detriment must be addressed.
Defining Payment Card Theft
The payment industry has one of the highest per capita targets among hackers, experiencing a loss of over $11.3 billion in card fraud in 2013 alone. While cyber breaches involve the theft of sensitive information from the cloud, mobile devices, and even systems issues, payment card theft is a different breed altogether.
With attacks on businesses like Home Depot and Target, payment card breaches are increasing in regularity and impacting millions of people. Most card data thefts occur due to skimming or database compromise:
- Skimming – Skimming devices are used to read and save data from the magnetic stripe on a credit or debit card. Hackers install a card reader device on an ATM or point-of-sale terminal and retrieve the information after customers swipe their cards. Armed with this data, they are then able to recreate identical information on counterfeit cards. Today, criminals can also use malware or Bluetooth technology to access this data, as was demonstrated in the Target incident.
- Database compromise – Criminals achieve database compromise either by accessing a merchant’s security tools or by stealing a merchant’s magnetic stripe data. The information can then be used to counterfeit payments, similar to skimming. Hackers who were able to access TJ Maxx data in 2007 used database compromise in their attack.
The Cost of Data Payment Breaches
While hacking a high-profile company for large sums of money may bring hackers fame and fortune, cyber security controls for these companies are becoming much more stringent. For this reason, smaller companies are now finding themselves the primary target for data breaches with an average of 10,000 records stolen per incident. When smaller companies are affected, the damage to these businesses and individuals can be staggering.
Although the actual cost of a data breach depends on the number of records that are stolen and the size of the company, there are several common expense areas that will be impacted:
- Forensic Examination – Any company that experiences a data breach will need to determine the severity and far-reaching impact of the compromised information. When companies opt to respond to the breach without investigation, they often pay more than if they had taken time to analyze the situation. A forensic exam by a third party can range anywhere from $200 -$2,000 per hour.
- Notification – When a data breach occurs, state regulations require that the hacked business notify all affected individuals and businesses. These notifications vary in cost from $5- $50 per notice, which can result in a potentially expensive endeavor depending on the scope of the breach.
- Credit and Identity Monitoring – After the initial notification, breached companies often offer credit or identity monitoring to affected customers. Although this service is not legally required, most companies accept the costs on good faith to their customers. Costs for this service can vary from $10-$30 per person.
- Public Relations Campaigns – Admitting to a data breach can be devastating for the public image of any company, and many will turn to professional public relations firms to help them mitigate the damage. With many expenses resulting from a data breach, most companies cannot afford to lose customers as well.
- Legal defense – Consumers, banks, and many others often file lawsuits when a data breach occurs, and a solid legal defense is necessary. The average cost for retaining and using legal defense is $500,000, with an average settlement of $1 million.
- Fines and Penalties – In addition to the legal fees and responsibilities towards consumers, companies typically must answer to state or federal authorities such as the state attorney general or the Federal Trade Commission. These fines can range from $5,000-$100,000.
- Costs to Breached Individuals – While the companies that are breached bear the brunt of these expenses, there are costs to the consumers as well. While many are not monetary penalties, consumers do not go unscathed and can experience anything from potentially lowered credit scores to declined debit and credit cards. Additionally, these customers must now go through the hassle of reporting the fraud, obtaining new payment cards, and even righting their damaged credit. Although the hacked companies can attempt to make amends through their credit monitoring services and their public relations campaigns, this is not always enough to salvage the customers’ trust which impacts the bottom line and long-term growth.
With cyber breaches continuing to rise in the payment industry, it is unlikely that the recent hacks which have affected Sony and JP Morgan will be the last. Even as the U.S. moves towards adopting the arguably more secure EMV chip technology to combat card-related fraud, consumers can help protect themselves from the potentially devastating effects of a cyber-data breach by keeping careful tabs on their bank accounts and credit scores.
To learn more about data breaches in the payment industry and its impact on today’s retailers, check out the Field Nation Retail Resource Center.