Cash or Card?: Data Breaches as the New Normal in American Consumerism

September 24, 2014

A September 14, 2014 Huffington Post article lists “4 Reasons Credit Cards Are Better Than Cash.” Ironically, the article was published less than a week after Home Depot confirmed 56 million of its customers’ credit card information had been compromised in the largest data breach of retail credit card information in history. But such events are not new; in 2007, 94 million credit and debit card numbers were stolen from TJ Maxx customers. Since then numerous data breaches, such as Sony in 2011, have occurred. In 2013 there were 617 reported data breaches, not counting the highly publicized Target breach that exposed 40 million customers’ credit card information to hackers in the height of holiday shopping season. Since then, two other smaller breaches have made headlines. In March, Sally Beauty, a retailer of beauty and salon products, was the target of a data breach that resulted in 282,000 stolen credit and debit card numbers. Three months later Goodwill International Industries Inc., discovered its own data breach that had went undetected for over eighteen months. So, why are data breaches becoming increasingly normal, and who is at fault?
Clearly, hackers are the culprits, but several cybersecurity experts, including former Home Depot employees, suggest that retailers are also responsible. Krebsonsecurity, a security news blog run by former Washington Post journalist, Brian Krebs, identified the software used by hackers in the Target, Sally Beauty, and Goodwill breaches, as a type of malware that “skims” off data from the magnetic stripe of a card when it is swiped at a point-of-sale system running Microsoft Windows XP Embedded (Windows XPe). According to several websites, the Windows XPe point-of-sale systems are easier exploit, as they are a “badly aging Microsoft operating system, that’s behind the times security-wise, but still broadly used in the world of retail.” Some call the use of the outdated Windows XPe systems negligence. In fact, as of March 2014 90 lawsuits alleging negligence had been filed against Target, and the day after Home Depot confirmed its breach, a class action negligence suit was filed. While it seems that retailers are partly to blame, a New York Times article suggest the larger problem is “finger-pointing” between banks and retailers.

“For years, the banks and the retail industry have spent more time accusing each other of causing the problem than seeking a solution.

Nonetheless, the United States is taking a step in the right direction by requiring replacement of swipe-and-sign card systems for P.I.N. and chip systems, like those already used in Europe. This switch, which is required by October 2015, will effectively “disarm” malware similar to that used in the Home Depot and Target breaches. Yet, Krebs and others say the replacement will not completely eliminate the threat of a breach; it will just make it more difficult for hackers.
A more radical option is to simply use cash (the green paper stuff, remember?) when possible, to avoid the risk all together. Obviously, this is easier said than done in a world where plastic dominates, but it may truly be the only way, as an American consumer, to avoid the increasing threat of fraud and identity theft posed by the now normal occurrence of data breaches. So, next time you are asked at checkout, “cash or card?” maybe go with the greenback.