When 650-store discount chain Fred's announced a data breach this month, it made an unwarranted leap of logic, one that has become all-too-common among breached retailers. That leap was deciding that an absence of evidence was proof that something didnt happen.
In this case, that was the blanket statement that "no other customer information was involved."
This is a problem for two reasons. The first is that professional cyberthieves specialize in both hiding their tracksmostly by erasing germane parts of logsand in leaving misleading clues. It can take months and multiple third-party investigations to figure out what really is going on.
The second reason is that breaches are commonly followed by lawsuits. Those lawsuits sometimes cannot make a case on what was done before the breach, so they will try and hit publicly-held companies with a charge of lying to the investing public. Thus, post-breach statements have to be written as though they are being deeply analyzed by every plaintiff's lawyer in the world.
By the way, it appears that someone at Fred's already realized this, as a few key lines were removed from the statement posted to the company's website, but not before various media quoted the lines in question. The original version of the statement, which Fred's sent to the SEC, though, is available in full on the SEC site.
It's important to put data breach announcements into context and to note that, almost without exception, the initial reports are almost always wrong. Consider:
- In March 2007, the mega-retailer TJX reported that 45.7 million payment records had been stolen. On Jan. 30, 2008, it changed that figure to 94 million.
- On Dec. 16, 2013, Target reported 40 million cards had been intercepted. In August 2014, it changed that figure to "more than 100 million."
- On Jan. 24, 2014, Neiman Marcus reported that 1.1 million cards were exposed. But in a rare instance of the original estimate being too high the company disclosed in the following month that fewer than 350,000 accounts were affected.
- In September 2014, officials at JPMorgan Chase said that one million accounts had been affected in a hack, a figure that jumped to 76 million on Oct. 2, 2014.
It's far from an indictment of data breach investigators that the initial impressions are often flawed. Thieves will often sit on stolen data, waiting until the right moment to sell it at the highest cost and lowest risk. They know, after all, that the instant the stolen account details are used, authorities will detect the activity and the opportunity to commit fraud will quickly vanish.
A courtesy that most cyberthieves take seriously is that a thief will almost never use counterfeit in the same chain where they stole the account data used to make the cloned cards. That practice will also slow things down by making it harder for a single party to detect the cards' misuse.
Retailers and other breach victims must stick with what they know and never confuse a lack of evidence as proof of anything. In six months, almost every data breach looks very different.
Evan Schuman is a reporter for PaymentsSource.
Corrected August 19, 2015 at 10:14AM: An earlier version of this story gave the wrong date for when Target updated its breach disclosure.