I hate to say that this news is unsurprising, but it is. Reuters is reporting tonight that during the recent holiday shopping season at least three other smaller US retailers were hit by possibly similar credit card data breaches as Target and Neiman Marcus. When news of the Neiman Marcus breach began surfacing earlier today, there was a sense that more was coming. According to the Reuters report the other US retailers affected by the data theft have yet to be publicly disclosed but sources say the other retailers involved had outlets at malls.
Smaller breaches occurred at possibly three other well-known U.S. retailers and were conducted using similar techniques as the one on Target, according to the people familiar with the attacks. The outlets and information regarding those breaches have yet to be made public. Also, similar breaches may have occurred earlier last year.
Reuters sources say that the thieves may possibly be the same as those who struck at Target. Suspicion is that the culprits are based in Eastern Europe.
Again, keep in mind that business, banks, and insurance agencies like to keep these kind of attacks quiet until they need to notify affected customers. Different states also have different laws and requirements about this kind of notification.
This was a major shock inducing story from the moment Krebs on Security broke the news of the original Target data breach. But the scope of these breaches is now reaching such a dramatic scale that we are certain to see large ramifications affect retail sales in the US going forward.
A part of this developing story has been that neither US retailers nor the banks that process their transactions and issue the credit cards have been willing to invest in the same kind of point of sale systems that are now prevalent in Europe and other countries. These systems, instead of using a magnetic stripe to contain customer data, use chips encoded in the plastic cards that create a unique code each time the card is used. This enables any theft of information to be limited to a one time event, instead of ongoing until the bank cancels or disables the credit card. Not only is there a hesitance to invest in the expenses to change the system, but there is discussion that the current system is too much of a profit center for the banks to have enough motive to change.
That thinking is about to change, I’m guessing, as the scale of the data thefts have certainly shaken confidence of all concerned in the existing system and certainly won’t make new consumer payment approaches, such as Coin and Google Wallet, easier for consumers to swallow without some better guarantees at a chance of security.
If the scale of these thefts continues to grow, I also wouldn’t be surprised if this doesn’t move from concerns about commercial theft to one that begins discussing these attacks as acts of terrorism.