A hacker recently pled guilty to 19 charges related to the theft of 41 million credit and debit card numbers from several retailers, including Barnes & Noble, BJ’s Wholesale Club, Boston Market, Forever 21, OfficeMax, Sports Authority and the TJX Companies (TJX attack). Albert Gonzalez was arrested for these thefts in 2008, and has also been charged in connection with another high-profile data breach. These attacks and their aftermath underscore the need for retailers to be vigilant in adequately monitoring, auditing, testing and updating their security measures. They also highlight the importance of having an action plan in place to respond to a data breach, and that plan should contemplate any statutory notification requirements.
Under the plea agreement for the TJX attack, Gonzalez is to serve a sentence of 15 to 25 years after pleading guilty to the 19-count indictment. Those charges include unauthorized access to computers, fraud in connection with computers, damage to computers, conspiracy to commit wire fraud and aggravated identity theft. Gonzalez must also forfeit some $2.8 million in cash, a Miami condo, a car and expensive jewellery. He is scheduled to be sentenced in December in Boston, Massachusetts.
While awaiting trial for the TJX attack, Gonzalez was indicted yet again — this time with two others, in New Jersey, for a data breach affecting up to 130 million credit cards from Hannaford Brothers Inc., Heartland Payment Systems, the 7-Eleven retail chain and two other unnamed retailers (Hannaford attack). The Hannaford attack, which is now considered the largest data breach in history, occurred approximately one year after the TJX attack.
The plea agreement for the TJX attack does not apply to the charges Gonzalez faces in connection with the Hannaford attack.
One of the issues raised following both attacks was the obligation for a retailer or payment card industry operator to disclose a breach to its customers.
In 2007, the State of Massachusetts passed a law that requires companies to disclose to officials and residents any loss of control of records that could lead to theft of “personal information.” Thirty-nine states have similar laws, but most of them, including Massachusetts, only require disclosure if the stolen credit card data is linked to a customer’s name or personal details. The general assumption is that credit card data alone is less of a threat since it is harder to abuse, and card issuers have a strong tendency to forgive many fraudulent charges. Ironically, Massachusetts passed this law following the TJX attack.
In the case of the Hannaford attack, some accused Hannaford Brothers Inc. of not appropriately disclosing the attack to the public. The retailer issued a press release approximately two and a half weeks after learning of the unusual credit card activity, and a week after it had controlled the damage.
It was Hannaford’s position that loss of credit card information alone did not amount to loss of “personal information” under Massachusetts law. Indeed, since Hannaford did not affiliate any credit card data to a person’s name or personal details, this was not a case of “identity theft.” Therefore, it had no obligation to disclose the data breach to its customers and only did so in an act of good faith.
Another issue raised by the TJX and Hannaford attacks, in light of their magnitude and proximity in time, was whether the affected retailers or payment card industry operators had put in place appropriate security measures to protect their costumers.
To conduct the attacks, Gonzalez allegedly maintained servers in New Jersey and around the world (including in California, Illinois, Latvia, the Netherlands and Ukraine) that stored malware (malicious code) and other information necessary to the operation. It is reported that Gonzalez used a well-known method, SQL injection attacks, which exploit security vulnerabilities between an online interface and the back-end customer database. Since Hannaford did not store credit card information, it used a wired network to transfer information. The attack thus occurred during such transfer.
The Payment Card Industry (PCI) has established certain security guidelines for retailers such as Hannaford. While the PCI sets out rules on how employees should be screened and what precautions should be taken against hackers, it does not conduct audits. Rather, audits are performed by third-party assessors. Though Hannaford was apparently in compliance with PCI's security requirements, one media report has questioned whether the assessors properly evaluated compliance.
McCarthy Tétrault Notes:
According to the U.S. Federal Trade Commission, SQL injection attacks have been “commonly known or reasonably foreseeable” since at least 2000.
Accordingly, a company that does not take the necessary steps to implement strict measures to protect itself against such attacks is assuming undue risk and exposes itself to a slew of costs and lawsuits. The TJX breach allegedly cost the TJX companies up to $200 million. The Heartland Payment Systems, as a result of the Hannaford attack, has reportedly already spent more than $12 million and is now facing multiple lawsuits.
Companies are urged to take the appropriate steps to protect themselves and their customers from attacks such as the TJX and Hannaford attacks. One way companies may go about this, according to Gartner Inc., a leading information technology research and advisory firm, is requiring PINs for credit card transactions. This would considerably lessen the threat of data theft.