Happy Holidays: Target’s Message May Put Scare Into Firms Without Cyber Coverage

Target Corp.’s data breach headache may be an opportunity for insurance carriers, insurance agents, risk managers and businesses to spread the word about cyber risk – although the message is bit of a scary one.

The not-so-cheery holiday message: If it can happen to a well-funded and sophisticated company like Target, it can happen to just about anyone.

Target acknowledged Thursday that data connected to about 40 million credit and debit card accounts was stolen as part of a breach that began over the Thanksgiving weekend.

It’s considered the largest credit card breach in U.S. history since the breach discovered in 2007 involving retailer T.J. Maxx and roughly 45 million card users.

Shoppers line up at 8:30 p.m. Thursday in Dallas area Target store waiting for doors to open for Black Friday shopping Thursday, November 22, 2012. (Richard W. Rodriguez/ AP Images for Target)
Shoppers line up at 8:30 p.m. Thursday in Dallas area Target store waiting for doors to open for Black Friday shopping Thursday, November 22, 2012. (Richard W. Rodriguez/ AP Images for Target)

The announcement of Target’s data breach was made to the public on Thursday by CEO Gregg Steinhafel:

“Yesterday we shared that there was unauthorized access to payment card data at our U.S. stores. The issue has been identified and eliminated. We recognize this has been confusing and disruptive during an already busy holiday season. Our guests’ trust is our top priority at Target and we are committed to making this right.”

While Target said it’s hearing few reports of fraud following the incident, it does pose a public relations nightmare for the discount retailer.

“To date, we are hearing very few reports of actual fraud, but are closely monitoring the situation,” Target spokeswoman Molly Snyder said in a statement. Despite providing statements via email, Snyder wasn’t returning calls for comment.

According to Snyder, there is no indication there has been any impact to PIN numbers, meaning bank PIN debit cards has that additional layer of protection intact, and someone cannot visit an ATM with a fraudulent card and withdraw cash.

Target also believes the data stolen doesn’t include date of birth, social security numbers, and the card verification value numbers that many have been taken was not the three or four digit number that’s used for online purchases.

It’s a big, embarrassing breach that’s well timed for holiday spending, and it’s gotten the attention of retailers interested in what their policies cover, and how well they are protected, said Meredith Schnur, senior vice president and technology, privacy and network risk practice leader for Wells Fargo Insurance.

After arriving at her office on Thursday she got a call from a director of IT and his management team for a retailer who wanted to talk about their policy, then she fielded another call, and another.

“I had multiple calls from multiple clients just wanting to start getting on the phone and talking about things, about next steps and what we should be doing,” Schnur said.

One question that seemed popular following news of the breach was whether it was a game changer in terms of underwriting, rates for cyber liablity, or how risks would be handled.

“I got that question from about five of our largest retailers yesterday,” Schnur said.

She doesn’t believe the Target event will be a game changer in those terms, but she does think it will raise awareness of the need to beef up security measures.

Over the past year she’s offered to facilitate table top exercises, where outside companies come in and do a security analysis of an emergency situation in an informal environment.

Even though underwriters typically bear the cost of such events, they haven’t been all that popular, she said.

“I’ve only had two companies take us up on that,” she said. “I think we’re going to be getting a lot more requests for those table top exercises.”

While there are steps that can be taken to secure data, hackers seem to be outpacing the security measures available to companies like Target, said Jerry Irvine, a member of the National Cyber Security Task Force and president of CIO of Prescient Solutions, an IT outsourcer.

“Unfortunately hackers have the edge,” Irvine said. “There are more tools and things that can be done to put information at risk than to secure it.”

Irvine believes the hack was carried out by a sophisticated group, and that it took planning, organization and multiple resources.

“There’s no doubt in my mind this was done not by an individual but it was more likely done by a well-organized cybercrime organization,” he said.

He believes hackers likely entered one vulnerable system or machine, such as a computer that didn’t hold critical information, and they worked their way into the rest of the system until they found what they wanted.

The hackers may have used an application error, or what’s called a persistent threat – where a small bug was inserted into the system a year ago or longer, and then used that to increasingly dig deeper into the system, gathering administrator passwords and other codes along the way, Irvine said.

Tom Srail, senior vice president of Willis Group Holdings, said the holiday hack was well timed by the perpetrators, but the timing isn’t a surprise to retailers, which often begin thinking about cyber coverage right before holiday shopping kicks into high gear.

“It seems like there is an uptick in interest right before Thanksgiving in securing coverage,” Srail said.

Srail believes the Target event will help spur some retailers without it to consider cyber liability coverage, but he believes many companies that feel the need for the coverage likely already have it.

Cyber liability varies in popularity by industry, and roughly half of retailers have it, according to Srail.

He estimates that roughly only 5 percent of manufactures carry such coverage, but in health care it’s upwards of 70 percent.

“In the top 100 retailers in the U.S., I would say in the 50- to 60-percent range purchase it,” he said, adding that the figure drops lower with retailers that report under $1 billion in sales.

It’s also shunned by some large retailers that may self-insure, believing they can handle a $50 million or $100 million loss from a breach, he said.

Asked if he believes Target self-insures for cyber liability, Srail, who acknowledged having some involvement in the aftermath of the Target breach, declined to comment.

Martin Frappolli, senior director of knowledge resources and a cyber liability expert at The Institutes, an education and research provider for the insurance industry, sees this as a wake-up call, but not merely one in which businesses are prompted to get on the phone with their insurance brokers.

Frappolli he hopes that event spurs insurers to create coverage that will offer protection for all the emerging risks out there instead of having a piecemeal approach in which more than one policy may be required for loss of intellectual property, damage to hardware and software, data loss, lost business income or business interruption, and liability to anyone who’s personal data has been compromised.

“I’m looking for the silver lining, because this is a big enough event that there should be a greater realization within the industry for developing policies for covering all of the potential consequences of cyber threats and data breaches,” he said.

Nate Spurrier, a director at IdentityTheft 911, an industry consultant, thinks that a breach at a company as well funded and sophisticated as Target may throw a scare into small and midsize companies.

“It is going to require organizations to take a better look at what types of security they have in place, and what types of training their employees are going through,” said Spurrier, who said he’s hearing the hackers attacked Target’s point of sale system. “It makes everybody else on a smaller scale seem a much easier target. I would think it’s going to force some organizations to think about how they’re securing their point of sale system.”

For now, this is a public relations mess for Target, but once attorneys figure out how things went down, it may soon be a lawsuit mess for the retail giant.

“If lawyers find loopholes in things Target should have done and didn’t do or that were preventable, then as a consumer it’s going to be fairly easy to get your name on as part of that lawsuit,” Spurrier said. “You just have to prove any level of damages or any fraudulent charges have happened on your behalf or on your accounts. That’s going to be interesting.”

For more coverage on the Target breach

Insurance Questions, Lawsuits Arise in Wake of Target’s Data Breach

Target Credit Card Breach a Reminder U.S. Lags in Personal Data Security
Target’s Message May Put Scare Into Firms Without Cyber Coverage