Cybersecurity and corporate crisis in the retail industry

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

In December 2013 it was revealed that Target, a major retailer in the US, was affected by a security breach. We explain what happened, the likely impact and why proactive security management should still be a top priority for retailers.

What happened and how has Target reacted?

No official explanation has been provided, but reports suggest that hackers gained access to Target's point-of-sale (POS) systems following an email phishing attack aimed at one of Target's third party contractors. The hackers then stole the credit and debit card data of up to 40 million customers when sales were made, and personal information relating to up to 70 million customers was also compromised. These numbers were particularly high as the security breach occurred over a three week period in the run up to Christmas.

On discovery of the breach, Target appointed experts to carry out a forensic investigation of its systems. It is also co-operating with U.S. Secret Service and Department of Justice investigations and:

• communicated with its customers in various ways about the breach, including by email and by having a dedicated area of the Target website with updates, advice and FAQs;
• offered its customers 10% off all sales the weekend before Christmas, plus one year of free credit monitoring and identity theft protection;
• informed its customers that they have no liability for the cost of any fraudulent charges arising from the breach;
• initiated the creation of and invested $5 million in a campaign with a number of other organisations to educate the public on cybersecurity and consumer scams; and
• participated in the launch of the Cybersecurity and Data Privacy Initiative, a retail industry initiative to improve consumer privacy, cybersecurity and payment security.

How was Target's business affected?

The impact of the breach on Target serves as another reminder of how a cyber-attack can turn into a full-blown corporate crisis:

• in March, profits were reported to have fallen 46% (for the same quarter compared to the previous year) and a profit warning has been issued for 2014;
• in February, Target said that its costs to date - including the costs of investigating and managing the breach, paying for credit monitoring services for its customers, additional customer services personnel and legal fees - were $61 million;
• class action lawsuits have already been filed, and more lawsuits and enforcement action may be on the horizon;
• Target's chief information officer resigned in March;
• in March Standard & Poor's downgraded Target's credit rating, partly due to the data breach and its financial consequences;
• Target's CEO resigned in May.

What should other retailers think about in light of the breach?

Like many retailers, Target had taken steps to protect the security of its systems, payment card data and customer information. Despite Target having invested heavily in security, with multiple layers of security protection in place and its certification as compliant with the Payment Card Industry Data Security Standards as recently as September 2013, the cyber-attack still happened.

As Michael Kingston, CIO of another US retailer Neiman Marcus which experienced a similar hack last year, said in February: "just having the tools and technology isn't enough in this day and age…These attackers again are very, very sophisticated and they've figured out ways around that."

However, organisations should still be carefully managing and stress testing their systems on a regular basis to ensure the best levels of security.

Ross McKean, Head of Data Protection at Olswang, commented: "it is extremely difficult in our hyper-connected age for an organisation to completely safeguard against a security breach; determined hackers will ultimately find a way around security protocols and the most common breaches are often the simplest, such as phishing emails. But because of the huge reputational damage a breach can cause, it is vital for organisations to do - and be seen to be doing - everything they can to protect the security of their systems and data."

A catalyst for improvement?

The Target breach will impact the US retail and banking industries beyond an individual organisation level.

One outcome will be greater collaboration across the retail industry, with several large US retailers (including Target) now taking part in an initiative called the Retail Cyber Intelligence Sharing Center which allows them to share intelligence about cybersecurity with each other and with security analysts and agencies.

The breach may prove to be a catalyst for greater spending on security across the retail sector. The recent PWC Information Security Breaches Survey indicated that on average UK retailers only spent 6% of their IT budget on security, and various studies suggest that the percentage for US retailers is even smaller.

In the US, the Target data breach is also expected to encourage speedier adoption of more secure technologies for payment cards and systems, where the most common payment system relies on magnetic strips and signature verification for security.

In March, MasterCard and Visa announced a new cross-industry group to focus on enhancing payment systems security, with Visa's president Ryan McInerney specifically referring to "recent high-profile breaches [serving] as a catalyst for much needed collaboration between the retail and financial services industry on the issue of payment security". One of the tasks for the group will be the advancement of EMV chip technology (which is widely used in Europe) in the US. This technology generates a unique code for every transaction and therefore has the potential to significantly reduce financial loss due to lost or stolen cards. In the UK, high street losses reduced by 67% in the three years following the introduction of chip and pin technology in 2004.

To effect this kind of change, US retailers need to update their systems and purchase the appropriate hardware to read payment cards with chips. There is a separate incentive for them to do so, as from October 2015 US retailers who haven't upgraded to EMV chip technology will be liable for any fraudulent transactions made using a swipe card issued by the major payment networks (including Visa and MasterCard).

Target has announced that it has accelerated work on a $100 million project to build chip technology into its own payment cards and in-store payment systems. However, other retailers still need to be convinced that the savings will outweigh the investment costs. US banks would also have to start providing more chip cards - it is estimated that less than 2% of the US population own a chip payment card.