The Target Breach: How the Financial Industry is Reacting

Retail giant Target recently suffered a massive security breach during the busiest shopping season of the year.  The breach involved the credit and debit card information of an estimated 40 million customers who shopped at one of Target’s retail stores between November 27th and December 15, 2013.  So far, Target has not disclosed the precise details of how the breach occurred.  While Target continues to work to repair the damage, it is interesting to see how other companies are reacting to one of the largest data breaches in history. Target publicly disclosed the security breach on December 19th.  Two days later, JPMorgan alerted 2 million of its debit card holders that it was lowering the daily limit on ATM withdrawals to $100 and purchases would be capped at $300 per day.  This decision could not have been an easy one for JPMorgan, especially when you consider the limits were imposed the weekend before Christmas.  Moreover, a $300 per day spending limit is woefully insufficient if anyone on your Christmas list was hoping for the new Xbox gaming console or the latest iPhone, both of which can easily exceed $500 dollars.  Although undoubtedly an inconvenience for their customers, this move makes sense.  In the case of credit card fraud, the payment processor usually reverses the charges, refunding the customer and leaving the merchant to bear costs.  However, with ATM or debit card purchases, the bank is normally responsible for covering the loss.  JPMorgan’s decision to impose spending limits is an interesting and unique strategy for limiting the fraud and reducing their own potential liability.

So far, JPMorgan is the only major bank to impose spending limits on debit cards potentially affected by the breach.  Citibank took a different approach, announcing that they would impose limits or block transactions if they noticed any suspicious activity.  Other banks are struggling with the decision whether or not to simply cancel and reissue cards to customers.  However, at a cost of around $3 to $5 dollars per card, reissuing cards can be an expensive and time-consuming process, especially when the banks do not know for certain which cards have actually been compromised.

Frustrated by the lack of communication from Target surrounding the breach, at least one bank decided to take matters into their own hands.  As reported by security expert Brian Krebs, a New England bank was able to “buy back” stolen credit cards from a black market card shop.  Hackers use black market card shops to sell stolen credit card information.  By purchasing the cards online, the bank was able to confirm that the recent Target security breach did not include the three digit security code printed on the backs of cards, known as the CVV, CSC, or CVD numbers.  This is an important fact because those numbers are usually required by most online merchants.  In addition, the bank confirmed that nearly all of the stolen credit card numbers had been used by customers to make purchases at Target stores around the country between November 27 and December 15.  This may not seem like an important fact, especially when Target’s press release indicated as much, but hacking victims are often unable to confirm exactly which cards were compromised because published estimates usually encompass all of the cards that were potentially exposed.  Moreover, if the stolen data was password protected or encrypted, there is a chance that the information may not be compromised, at least until the thieves break through those protections.  By confirming that the credit card numbers were available on the black market, the bank was able make a more informed decision about whether to reissue the cards.

Another interesting facet of the Target breach is the number of third-party companies that are proactively notifying customers.  State and federal breach notification statutes require Target to notify those affected by the breach.  But that has not stopped PayPal from sending an email to its users nor prevented personal finance website from notifying its users, albeit in an unusual way.  If you are not familiar with, it is a website that allows individuals to upload banking and credit card information, generally used for managing finances.  Using that information, identified individuals who used a credit or debit card at Target in the last 30 days and proactively notified them of the Target’s security breach, encouraging them to be on the lookout for potential fraud.  To my knowledge, this is the first time a third-party has used customer data to notify individuals of a potential breach.  It would be interesting to see if continues this practice with future breaches.

Target is not the first nor the last company to suffer a security breach.  As recent history has shown, breaches will continue to occur as hackers become more sophisticated.  In the perpetual cat-and-mouse fight against security breaches, it is refreshing to see new and different approaches to responding to potential credit card fraud.  Only time will tell whether these efforts will have any meaning full impact.