The implications of the Target data breach keep expanding, and none of them are heartening. To (painfully) refresh your memory, data from 40 million credit and debit cards recently was filched from company systems over a 19 day period.
The bad news for the retail giant’s customers broke just before Christmas, and in the last few days, it has become clear that the purloined information is being hawked on global black markets. According to KrebsonSecurity.com, banks have been buying back customers’ stolen card data at the underground “card shop” Rescator.la in an attempt to gauge the dimensions of the breach. (At this point, card PIN numbers still seem secure. Target claims they were—and remain—fully encrypted.)
In short, it’s a mess, enough to make you conduct all your dealings in greenbacks—or even specie, or silver ingots, or maybe by bartering basic goods and services. So what’s next? Things remain murky. Charges are rife that U.S. retailers are well behind industry peers in other nations in adopting state-of-the-art data security. Expect systems upgrades across the industry, all accompanied by perfervid press releases heralding the new measures.
And another thing seems certain: The lawyers are going to wade into this particular swamp. “The banks are on the hook for the charges, and customers may find trouble getting new credit cards,” says Terrence Hendershott, an associate professor at the Haas School of Business. “So it’s very possible Target could be sued by the banks or customers—or both.”
He says the breach raises some basic questions about the way data is collected and maintained by larger retailers: “Target had a lot of information, and you have to wonder why they needed to know so much about their customers. Did customers choose to provide that information? If not, how was it collected?”
Ultimately, the breach may generate no satisfactory response, at least in preventing similar cases in the future. New and tougher encryption will only be met by more sophisticated hacking. And as far as tougher laws go? Hendershott advises not to expect miracles. The laws dealing with data theft are already pretty rigorous, and they have done little to stop the pillage.
“It’s not clear to me that we need new laws,” he says. “As far as liability is concerned (in this case), we’ll have to see if consumers are satisfied with the standard that exists. If not, new laws, state or federal, might be appropriate.”
In the meantime, check your credit card statements carefully and consider using cash whenever possible. Or maybe the old Russian proverb expresses it most succinctly: Hope for the best, expect the worst.