Willie Sutton said he goes after banks because that is where the money is. Hackers go after retail databases because that’s where the data is. Willie’s banks knew they’d been robbed when they heard bullets hitting the wall. Today’s retail outlets may get a firewall breach alarm but confirmation comes when banks start telling the retailers about consumer charge card anomalies.
If they are lucky, consumers are alerted by a call from their credit card issuer. If they are unlucky, they receive a summons to appear in court for fraud they allegedly committed months ago. It may be due to identity theft, but try explaining that to the police, judge and your legitimate creditors. It’s time to forget peace of mind, get a good attorney and launch your multi-year journey of credit repair.
Criminal hackers seem to prefer retail stores who keep customer’s name, credit card number, social security number, and any other financial tidbits. Government and health care sites hold other data that are valuable to hackers, such as the millions of federal employees’ data stolen from the Office of Personnel Management.
Time Warner Cable reported that the email identity and password for 320,000 of its customers were stolen. Hackers generally want more valuable data from the theft, but they can inflict substantial mayhem with email and passwords.
A year ago, the IRS reported to some innocent parties that criminals had filed fraudulent tax refund requests in their names. To validate the innocent taxpayer’s identity in the future, the IRS gave each a six-digit Identity Protection PIN. This year, some of those victims were attacked again – the PINs had been stolen and used to file false refund requests, again.
In 2015, a cyber theft hit 80 million customers of Anthem, a health insurer. The stolen information included names, birth dates, street and email addresses, medical IDs, Social Security numbers, and employment information, including income data. That’s a good starter kit for identity theft.
Hackers stole personal data for 32 million customers of Ashley Madison, a so-called infidelity and cheater site. The hackers have posted some customer’s embarrassing details online, including credit card transactions. The hackers’ motives are unclear, but the pain to be experienced by many of the customers is crystal clear.
Hacking can also take gruesome forms, such as hacking medication pumps or heart regulator implants or hacking into baby camera monitors. Hacking the control systems for autonomous cars is a particular concern for automakers. Each of these can expose consumers to physical harm and violation of privacy.
Criminals are behind most of these attacks. Some famous attacks (Stuxnet attack of Iran’s centrifuges, North Korea’s Sony Pictures hack, Russia’s Pentagon hack, OPM’s employee hack, and Ukraine’s electric grid hack) are the work of state-sponsored hackers trying for economic and military advantage.
In the wake of a retail cyberattack, gauging the economic damage is difficult. We don’t know when the last attack-related problem and its implications have surfaced. It costs a lot to hire attorneys to handle court appearances, argue with the merchants, take time off work for appearances, muscle the credit reporting agencies, monetize the reputation damage (such as the loans you were denied, and the job interviews and offers that never came). Expect to come out of this with a deep loss. Unfortunately, we must not pretend hackers will be apprehended and forced to reimburse our damages. Our justice system emphasizes protecting the rights of hackers more than the rights of victims.
Against that sour backdrop of reality, we should be very concerned with how much information we give to anyone operating a customer information database – be it a retail store, health provider, or government agency. Until database operators feel a substantial part of each hacked consumer’s pain, they will not have enough compulsion to implement the best-available security.
The fact is that Merchants aren’t required to put in place firewalls on their servers, to use data encryption, or even to have virus and malware protection to stave off hackers from your credit card and transaction information, if they store it. Yet, some merchants are keeping consumer transaction data for longer than necessary in order to use consumer information for marketing. Fortunately, there isproposed legislation that would require merchants to more adequately protect the consumer information they collect and store.
If a website demands personal information before it will let you use its services, check the end user license. Make sure the license promises thorough indemnification to you for any consequences related to the release of your personally identifiable information from its systems. If the deal offered doesn’t protect you, just move on to a better website.
Alan Daley writes for The American Consumer Institute Center for Citizen Research, a nonprofit educational and research organization. For more information about the Institute, visit www.theamericanconsumer.org.
