There's a pretty common nostalgia trope which says that, compared to now, the Good Old Days were a simpler and more innocent time.
So let's reminisce about the Good Old Days of early 2012, when computer-security problems were simple and minor compared to now. Remember that February, when the Christian Science Monitor published a list of the “15 worst data security breaches of the 21st century”? Topping that circa-2012 list was the March 2008 breach at Heartland Payment Systems, which resulted in “134 million credit cards exposed through SQL injection to install spyware on Heartland's data systems.”
Only 134 million? Piffle: the security breach at credit-monitoring data broker Experian, first uncovered in October 2013, ultimately left the personal information of 200 million Americans – five out of every six American adults – at risk.
The Heartland breach was six and a half years ago. In an ideal world, the rest of the financial industry would've learned from Heartland's mistakes, and by now, such problems would be extremely rare, if not eradicated entirely.
Dozens of millions
Of course the exact opposite happened, and now you can barely go a week anymore without hearing of yet another massive security breach affecting dozens of millions of people: 40 million customers impacted in the Target breach. 56 million card numbers stolen in the Home Depot hacking. 76 million households compromised in the JPMorgan Chase hack — and remember, a single “household” can contain several individual “people.”
So, no, most companies did not learn from Heartland's mistake, though there's one company that did: Heartland itself. This week, the Dark Reading security blog asked Heartland's CEO Robert Carr why so many retailers (and their customers) keep suffering from security breaches, and Carr's answer was simple: because companies for whatever reason choose not to invest in security upgrades like tokenization, credit cards with EMV chips rather than magnetic strips (although MasterCard and Visa have supposedly set an October 2015 deadline for American retailers to accept EMV cards), and end-to-end encryption.
“What's happening in the meantime is, even though solutions are being introduced …. a lot of companies haven't implemented the basics, and they are paying the price for it,” Carr said. “The people responsible for spending the money necessary to be safe aren't spending the money. They don't take it seriously. What I've been saying for years is that it's going to continue to get worse, because the pool of victims not doing anything or doing enough is shrinking slowly.”
Too small to be hacked
But why haven't they spent the money to prevent these security breaches, which ultimately cost them exponentially more money than they would've spent? To make a rather obvious analogy: putting a strong, sturdy, lockable door on your house won't be cheap — but it's a lot cheaper than replacing everything in your house after a thief breaks in and steals it all.
Part of the problem, Carr suggests, is that some merchants might think they're small potatoes, too small for hacking thieves to bother with. Except two minutes' research on mainstream news media shows that's not true; from an identity thief's perspective, credit card numbers stolen from, say, a relatively obscure chain of New England car washes are just as valuable as cards stolen from Target, Home Depot and other famous big-time retailers.
"Today, if a merchant doesn't do the minimum work to avoid a breach, then they are going to get breached,” Carr said. “It's just a matter of when.”