Tag Archives: Target

Cyber Insurance

Cyber insurance protects against hacking into company accounts. Some companies need as much as $1 billion cyber insurance to protect themselves against cyber attacks. In addition there are firms struggling to secure even a tenth of that amount. Therefore if a data breach occurs within a network, the company which suffered the breach could face hundreds of millions of dollars in extra costs. The maximum amount of cyber insurance coverage currently available is $20 million. This is for a Data Storage company.

Researchers at Kaspersky Labs, a Russian cyber security group, uncovered sophisticated spying software in the hard drives of personal computers used in 30 countries, including Iran, Pakistan, Russia and China.

The latest in a long line of whistleblower Edward Snowden’s National Security Agency revelations may be among the most shocking. The NSA and its British counterpart GCHQ, allegedly compromised the networks of Gemalto.  They then pilfered the encryption keys protecting untold millions, potentially billions of SIM cards. A compromise of SIM cards on this scale would therefore call into question the integrity of the entire global cellular communication system.

Gemalto is a global manufacturer of mobile device SIM cards. According to the Economist, they manufacture more SIM cards than any other organisation in the world. (SIM is an acronym for subscriber identification module. A SIM card is a little integrated circuit that plugs into your mobile device. It contains the unique international subscriber identity (IMSI) along with an encrypted authentication key. Together, this key and that number essentially validate that your phone is, in fact, your phone).

Gemalto produces approximately 2 billion SIM cards every year. To put that in context, there are 7, 125 billion humans in the world; an estimated 7, 19 billion mobile devices. Gemalto’s clients include mobile service providers Sprint, AT&T, Verizon, T-Mobile and some 450 other organisations. The company furthermore does business in 85 countries and also operates a further 40 manufacturing facilities.

Target, the U. S. Retailer, said that the price tag for the data breach that affected up to 110 million of its customers had reached $248 million. A catastrophic hit such as this on a large bank or power utility has prompted the private sector to work in collaboration with the government sector to find ways to thus boost cyber insurance coverage.

Stephen Catlin, the head of Lloyds of London insurer warned that cyber attacks constituted the biggest most systemic risk he had ever seen.  He thus recommended that it should be covered by governments. He stated that insurer’s balance sheets were not large enough.

Cyber risk management is poor at certain companies. In addition the unpredictability of future attacks is accompanied by the lack of data with which to price risks. Insurance companies are finding the costs too high and instead of growing, coverage has however become more limited. Tougher cyber security standards are being required by Insurers. This is in the hope of reducing the costs of breaches. Insurers have furthermore requested retailers to encrypt data and use other ways of storing information in order to get insurance.

The recent breach at Anthem exposed 80 million Social Security numbers. Anthem is the second largest health insurer in the United States. According to well-known sources they had $150 million in cyber insurance.

Aside from civil litigation and other expenses, $40 million would have to be spent. This was to inform clients according to various state laws and remediation compensation. 13.5 million Californians were affected by the company’s data breach. Federal Health officials and state insurance commissions are investigating whether Anthem took sufficient security measures to safeguard its database.

Home Depot recorded $43 million pre-tax expenses related to a recent data breach. This amount was partially offset by a $15 million receivable for costs the company believes are reimbursable. The cyber insurance coverage for pre-tax net expenses was $28 million.  Those expenses included costs to investigate the data breach, provide identity protection services including credit monitoring to impacted customers, increase call centre staffing, legal and other professional services.

There are a number of ways to protect your valuable information from hackers:

  • Ensure that your password is complex. Most noteworthy,  do not use the same password or username across various websites. Experienced criminals will use your base password and their sophisticated software to crack your other passwords. Hackers are aware of the fact that most people are lazy.  As soon as they get access to your credentials from one site, they will also try out your credentials at many other sites. A password manager thus provides you with strong, unique passwords for all of your accounts. They are kept  in a secure encrypted vault on your device.
  • Do not recycle user IDs and passwords. Hackers sometimes try stolen IDs and passwords on different sites to gain control of other accounts.

  • Never confirm or provide personal information in response to an email or text. Therefore do not click on links in unexpected messages.
  • If you see charges on your credit card or bank statements that you do not recognise, rather contact the fraud department at your bank or credit card provider immediately to investigate.
  • Check your credit reports – for free – every few months. It is a good way to find out if someone has opened credit in your name. To get your report, visit AnnualCreditReport.com or call 1-877-322-8228.
  • Use two factor authentication. This also provides an extra layer of protection beyond your password. First you enter your username and password as usual, then a code is sent to your mobile app. Only after you enter that code will you be allowed to access your account.
  • In conclusion two factor authentication therefore combines something you know (your password) with something you have (your phone), hence making access by unauthorised users much more difficult.

Cyber Attack

A few days before Thanksgiving 2013, someone installed malware in Target’s security and payment network. It was devised to take possession of all information by means of a cyber attack related to every credit card used at the company’s 1,797 U. S. stores.

The hackers gained control of a Target server. As Christmas gifts were scanned and packaged, the moment the cashier asked for a swipe of the customer’s credit card, the malware was activated. The cyber attack had begun.  the credit card number was captured and stored for the hackers.

It is considered the largest credit card breach and cyber attack in  U. S. history since the breach discovered in 2007 involving retailer T. J. Maxx and roughly 45 million card users.

Six months earlier, FireEye, the computer security firm, had begun installing a $1.6 million cyber attack detection tool for Target. The CIA and the Pentagon are some of FireEye’s clients. Security specialists in Bangalore were supposed to monitor Target’s computers 24 hours a day. Anything suspicious noticed by the Bangalore security centre was supposed to be reported to the security operations centre in Minneapolis.

Only after the hackers had planned an escape route for the safe-keeping of the data, did FireEye spot the breach and send a cyber attack alert. It was too late. Details of the credit cards had been moved to various locations in the U. S. to cover tracks and then finally to Russia. Target stood by as 40 million credit card numbers and 70 million addresses, phone numbers and email addresses poured out of Target’s mainframe.

According to media reports, credit and debit card accounts stolen are being sold on underground black markets for anywhere from $20 to more than $100 per card, reports KrebsOnSecurity, a security news website.

Target announced in January 2015 that it was closing all 133 of its stores in Canada. This resulted in the retrenchment of more than 17, 000 workers. Earlier in March this year another 1,700 workers were laid off at its headquarters and 1,400 open positions were slashed.

Documents show that hacking victims could get as much as $10,000 each. The proposed settlement requires that the Target Corporation put into force certain security policies within 10 days of the settlement becoming effective. These include:

  • The appointment of a chief information security officer.
  • Have in its possession a written information security program, which specifies potential security risks. Furthermore, the company must develop metrics to measure the security of its systems.
  • The company must educate workers about the importance of safeguarding personal identifying information.

In order for hacking victims to be paid they have to have experienced at least one of the following:

  • Unauthorised, unreimbursed charges on their credit or debit card.
  • Spent their own time attending to charges.
  • Paid fees to hire somebody to correct a report.
  • Paid higher interest rates or fees on accounts.
  • Spent funds buying credit reports.
  • Paid to replace identification, Social Security number or phone number.

More than 90 lawsuits have been filed against Target by customers and banks for negligence and compensatory damage. With the approval of a federal court, Target will deposit a settlement amount into an interest bearing escrow account. With the approval of a federal court, according to the 97 page settlement.

A recent survey by the Ponemon Institute revealed the average cost of cybercrime for U. S. retail stores more than doubled from 2013 to an annual average of $8.6 million per company in 2014. The annual average cost per company of successful cyber attacks increased by $20.8 million in financial services. An amount of $14.5 million in the technology sector.  In addition $12.7 million in communications industries.

This survey lists known cyber attacks on private U. S. companies since the beginning of 2014. By its very nature, a list of this sort is incomplete. The scope of many attacks is not fully known. For example, in July, the U. S. Computer Emergency Readiness Team issued an advisory that more than 1,000 U. S. businesses have been affected by the Backoff malware, which targets point-of-sale (PoS) systems used by most retail industries. (Backoff scrapes memory from running processes on targeted devices, and has therefore been planted on retailers’ PoS systems by criminals desiring to pilfer consumer credit data.

The list includes only cyber attacks that have been made known to the public. Most companies encounter multiple cyber attacks every day, many unknown to the public and many unknown to the companies themselves.