Breaches Old and New: Target Settles, More Blue Cross Leaks; New Security Measures

Data breaches, their discontents and fallout, have filled the news this week. You’ll remember, of course, when the Target customer data breach in 2013 finally catapulted questions about customer security in the digital age onto the front page. Now comes word that Target has, at last, reached a settlement in that case. As tech website Gizmodo reports, “following lengthy discussions with the lawyers of those affected by the hack, the retailer has agreed to pay up a $10 million settlement.” Of course, that has to be divvied up among the 40 million or so customers who were affected. The “ceiling” on each settlement appears to be $10,000. The way the process will work is that “a digital version of that form will appear on a dedicated website, where those affected by the breach will be asked to provide ‘reasonable documentation showing their losses more likely than not arose from the Target data breach (for example, a credit card statement, invoice or receipt)… That will include up to two hours of ‘lost time’ billed at $10 per hour for each type of loss.” Blue Cross may in for a similar settlement down the road. Coming on the heels of the recent announcement of personal information — addresses and Social Security numbers — being pilfered from Anthem Blue Cross, comes word that another Blue Cross company, Premera Blue Cross, may have suffered a similar hack, including not only Social Security info,  but, as NPR reports “credit card numbers, even information about medical problems. Premera issued a statement  saying it discovered the breach on Jan. 29. That’s about the same date that Anthem, another Blue Cross company, told the FBI that it was breached. “It’s possible that Anthem put the word out and, given the timelines, the attacks were related — done by the same perpetrator. At least that’s an educated guess from the cybersecurity company iSight Partners.Premera also says the attack itself started in May of last year.” As the article observes, “that’s many, many months to steal people’s data.” On the other hand, it also notes that as valuable as medical information is, none of the earlier Blue Cross info has shown up on black markets. Speculation accrues that international intrigue — and possible blackmail attempts of government employees (who use Blue Cross) — could be involved. That might sound like something lifted from a modern spy thriller, but true to such stories, “countermeasures” are being taken. In the arena of payment security, Business Insider  lists additional steps being taken to address fraud that “cost US retailers approximately $32 billion in 2014, up from $23 billion just one year earlier.” As the article avers, “payment companies and merchants are implementing new payment protocols that could finally help mitigate fraud.” They list the upcoming switch to EMV cards, as frequently reported here, as one of those steps. In addition, they talk about increasing use of encryption in transactions, “degrades valuable data by using an algorithm to translate card numbers into new values,” which makes the data unusable for further transactions. This is similar to what happens with “Tokenization,” which the article describes as digital “schemes (to) assign a random value to payment data,making it effectively impossible for hackers to access the sensitive data from the token itself. Tokens are often ‘multiuse,’ meaning merchants don’t have to force consumers to re-enter their payment details.” This is one of the attraction of newer payment methods — virtual wallets, etc. — though newer digital protection protocols for these methods  — synching up the “old and the new,” as it were, in terms of the different databases that share transaction information, are still being worked out. If you want to expand customer payment options, or want look into ways to make your business transactions more mobile, more secure, etc., contact your AVPS Rep today, if you need to upgrade, expand — or want to get a few digital steps ahead!