It just was a matter of time before a major brand would experience a data breach in 2016. While the Wendy’s card data breach is under investigation it has reinvigorated a discussion among merchants who want to avoid being the next target (no pun intended).
Target’s card data breach has become a benchmark for many industries illustrating the scope of consequences which stretch far beyond initial damage control – a CEO shuffle, legal fees, a 46% drop in profits costing shareholders $148m, as well as loss of customer respect. Yet, despite what’s at stake, many merchants forget what we should learn from the breach among others.
What most people tend to forget around the Target hack, is that the origin of the data breach stemmed from an open heating, ventilating, and air conditioning (HVAC) system. This underscores data is vulnerable virtually anywhere. Consider the clever hacks last year when American Airlines’ data was hacked via its in-flight entertainment system, and a popular children’s toy with VTech was hacked exposing data on 6.4 million children.
With connected devices becoming more popular, we can expect future data breaches to become more varied as Internet-connected devices often link to sensitive personal information and payment card details become more prevalent (e.g. smart watches, smart refrigerators, etc.). As cyber-thieves can “steal” data from a growing number of new portals, this underscores the importance of a multi-prong approach to payments security (by way of EMV, point to point encryption and tokenization). And more importantly, being aggressive about such a strategy as hackers will stop at nothing for the sweet combination of infamy and financial gain.
For cyber-thieves, there’s a thrill involved with hacking seriously complicated systems, major brands, and/or organizations that have highly sensitive data. It’s not just about gaining access to credit card details and selling them in a black market. For hackers, it’s equally about the bragging rights that come with it. And hackers are increasingly becoming incredibly tech savvy and organized.
Addressing the growing complexity and comradery associated with hackers, a recent report, “Markets for Cybercrime Tools and Stolen Data” (by RAND Corporation’s National Security Research Division) described the market as: “once a varied landscape of discrete, ad hoc networks of individuals initially motivated by little more than ego and notoriety, has emerged as a playground of financially driven, highly organized, and sophisticated groups.”
The term “playground” is telling. It aptly describes this sub-culture and how our major card data breaches equate to fun and games for others. It also reaffirms the measures companies need to take to ensure a multi-prong approach to payments security is in place.
It’s too soon to tell what the scope of damage will be for Wendy’s, yet its news comes with a silver lining. Companies are aware a data breach can significantly impact the bottom line, stock price and consumer perception. And, no one wants to be the next Target (pun now intended).
Wendy’s data breach is a wake-up call early in our New Year for large and small retailers alike to move faster when it comes to comprehensive security. EMV is a great first step, but it alone cannot prevent a data breach. P2PE is a fantastic complement, and for optimum comprehensive security, tokenization is an essential part of the ‘Holy Trinity’. As we’ve seen with Target, it’s not enough to protect the point of sale, but especially the data in transit.
Jeremy Gumbley is CTO and CSO of Creditcall.