GWEN IFILL: New revelations have come to light in the past several days about the massive hacking attack of consumers’ information affecting customers of some major retail stores. They’re raising more concerns over how many people may be at risk and what individuals need to know to protect themselves.
The holiday shopping season is over, but the data breach that hit retail giant Target is still growing. The company now acknowledges that information on up to 110 million accounts was compromised. Initial estimates were 40 million.
Today, two U.S. senators demanded answers from Target’s CEO. Commerce Committee Chairman John Rockefeller and fellow Democrat Claire McCaskill said in a letter: “We expect that your security experts have had time to fully examine the cause and impact of the breach and will be able to provide the committee with detailed information.”
The breach has scared some shoppers away from pulling out their credit cards.
WOMAN: I would rather just use — try and use cash here until they straighten everything out. So, it seems a little scary.
GWEN IFILL: While others say they’re just going about their business.
MAN: Yes, I use a credit card, but it wouldn’t deter me, because, really, Target is like all the big businesses, you know? Cyber-theft is cyber-theft.
GWEN IFILL: High-end department store Neiman Marcus has also announced a smaller holiday season breach. And there have been reports that other unnamed retailers were also hit.
As for Target, the company issued a full-page apology yesterday, printed in several major newspapers.
To help shed a little more light on how vulnerable businesses and consumers actually are, we turn to two people who have been following these developments closely, Nicole Perlroth of The New York Times and Ken Stasiak, the chief executive of Secure State, a consulting firm focused on information security.
Nicole Perlroth, we first heard 40 million, then 70 million, now 110 million. Do you expect those numbers to keep going up?
NICOLE PERLROTH, The New York Times: I do expect those numbers to keep going up.
Originally, we heard that 40 million people were affected in the stores, that if they used their credit card and they swiped it through a cash register at a Target, they were affected. Now we know that the 70 million people whose information was stored in the server were also affected.
And what that tells us is that these hackers were deep inside Target’s corporate network. So I wouldn’t be — wouldn’t be surprised if they were able to get into other buckets of information as well.
GWEN IFILL: Ken Stasiak, when we first reported the story, the working theory was that this was an inside job. It doesn’t look that way so much now?
KEN STASIAK, SecureState: No, I think from what we have seen, this is too massive to be an inside job.
And when you look at the breadth and scope of 1,700 stores, 110 million records compromised, you know, this is definitely pointing to malicious activity, hacker groups outside the environments. And they’re trying to see what they can do to the retail industry. We’re seeing other breaches come out over the last two weeks.
So the question is, are these correlated attacks? Do they have any type of merit to say that hackers are targeting the retail industry to try to get this credit card information and personally identifiable information from the consumers?
GWEN IFILL: Do you think — do you have reason to believe they could be attacks from outside the United States?
KEN STASIAK: At this point, we believe that the attacks are definitely originating from outside of the United States.
With the Secret Service being involved and doing the investigation, I think it kind of puts a little bit more paramount to the fact that there’s a little bit more scrutiny to the hackers being outside. We’re also seeing some thoughts that the hackers are starting to spread even beyond what we thought, from just Target to other retailers.
And I think that correlated attack and the massive amount of records definitely speaks to a hacking community outside of the United States.
GWEN IFILL: Nicole Perlroth, and since we have heard about this, e-mail stolen, personal addresses stolen, credit cards stolen, have we had any reported incidents of fraud, people who have actually taken and used that information?
NICOLE PERLROTH: We have.
I have a cameraman in the room with me right now who said he heard from his bank that his card was used and he was affected. I ran into at least three people today who said the same thing. The fact is, this is now affecting over one-third of the American adult population.
We have seen the cards drop into the black market, where a single card can now fetch as much as $100. Hackers will take this information. They will use it way beyond the one year that Target is offering identity theft protection and credit monitoring. And, unfortunately, people whose information was compromised will be good targets for hackers for identity theft.
GWEN IFILL: Nicole, let me ask you. Everything we heard early on was that this was only affected by people who swiped their cards at point of sale. Do we know that to be still true?
NICOLE PERLROTH: No, it’s not longer true.
Definitely, people who shopped in store between the day before Thanksgiving and December 15 cards and debit cards were taken. But now we learned last week that actually a whole separate bucket of Target customers were affected and the names and e-mail addresses, mailing addresses and possibly more were taken from a separate Target server.
So this is no longer just people who shopped physically in the stores. This is Target customers at large will have to start monitoring their bank accounts for potential fraud.
GWEN IFILL: So, online shopping affected as well, as far as we know.
Ken Stasiak, give me a sense for this. We found out about this now. It’s been several weeks. Do we know if the breach has been sealed, or does it continue?
KEN STASIAK: You know, when Target first came out, they said, with the press release on the 19th of December, that here is the dates, here is how many credit cards were leaked.
And over the last several weeks, they have contradicted the statements. We would believe, as investigators, that you would come in and contain the environment, so that no more breaches could occur, no more loss of personally identifiable information, addresses, et cetera. And, as we just heard, you know, that’s not the strategy.
So it’s been a botched investigation from a crisis management perspective. The CEO is coming out with apology letters. It’s a little too late. They should have taken this seriously in the beginning and put the security in place, so that now millions of consumers are obviously affected.
GWEN IFILL: And, as far as you know, Nicole, there are other — more than Neiman Marcus, more than Target, there are other stores which we’re going to — or retail establishments we’re going to hear about who were also affected by some version of this?
NICOLE PERLROTH: The investigations are ongoing, but there are reports out there that there are other retailers that were affected as well.
Certainly, on Friday, Neiman Marcus came out and confirmed that it had been breached. It has not given any sense of how big that breach is or how many customers were affected. And then there were reports over the weekend that we may hear as many as half-a-dozen other major retailers were affected. And people are still looking to see whether these attacks are correlated or not.
But, certainly, this could be bigger than just Target.
GWEN IFILL: OK.
So, Ken Stasiak, we have just been scaring the heck out of people for the last few minutes. What do we tell consumers to do about this?
KEN STASIAK: Right.
So, obviously, you’re going to have to look at your credit reports. That’s the big thing that we’re starting to see out of here. Your credit card and your credit card statements are generally going to be backed by Target, Neiman Marcus.
If you’re seeing fraudulent charges, more than likely, they are going to be taken off before you even know about it, since the payment brands, Visa, MasterCard, American Express, are very hypersensitive to this now.
But you have to look at the credit history. And the credit monitoring, the credit reports, a lot of this information that has been leaked speaks right to identity theft. And that’s going to be really where the consumer is going to get hit.
From a debit card perspective, you know, we’re — we’re big on do not use your debit card in the stores. Only use your credit card. When it says enter your pin, hit the green number and go to credit. It’s an insured way to purchase things. And, as we have seen before, your fraudulent charges will be taken off.
But if your debit card gets stolen with your pin, we have seen class-action lawsuits being filed against Target for people draining bank accounts, hackers, et cetera. And, number three is, as consumers, you know, vote with your wallet. Vote with your pocketbook. Tell the — tell these merchants that have been breached that, you know, we’re not happy.
So stop — you know, stop shopping at Target and Neiman Marcus and these, and that’s going to point a picture to say, you know what? As consumers, we’re concerned and we’re not going to stand for this anymore.
GWEN IFILL: What should stores be doing or what are stores doing now, Nicole?
NICOLE PERLROTH: Well, I think this has been a big wakeup call to other stores to up their cyber-security defenses.
There’s been a huge investment over the last decade in physical security and surveillance. And now I think retailers are waking up and seeing that they have to do the same for their cyber-security defenses as well.
So I’m hearing from a number of security companies that say that retailers are reaching out to them and saying, can you come immediately and help us install your software? So, I do think this will be a big boon for the security software industry as well.
GWEN IFILL: Nicole Perlroth, thank you for your reporting in The New York Times. And Ken Stasiak at SecureState, thanks, both.
NICOLE PERLROTH: Thanks so much
KEN STASIAK: Thank you.