Why was your credit card number stolen? Retailers are lazy.
NEW YORK — Companies are losing your data to hackers because they get lazy about protecting it.
If a shop wants to accept credit cards, it needs to abide by strict payment card industry (PCI) rules and pass a test. But a new Verizon cybersecurity report shows that companies act like high school students cramming for an exam.
Companies will bulk up IT security just in time for their PCI inspection. But only 29% keep it up afterward, according to Verizon’s 2015 PCI compliance report.
So, while businesses claim you’re safe because they’ve met credit card industry standards, your data isn’t as protected as it seems.
“Officially they remain compliant, but only two or three weeks a year,” said Rodolphe Simonetti, a consultant with Verizon. “As soon as something else is in the list of priorities, security is dropped.”
The holiday shopping season is the worst, he explained. Companies are supposed to watch for break-ins into their payment network, restrict employee access to sensitive data and make sure new machines are properly secured. All of these priorities take a backseat as retailers shift their entire focus to flashy new website features and the barrage of purchases, Simonetti said.
The 2013 Target hack, which hit 110 million customers, is one example. The company reportedly ignored cybersecurity alarms it had in place just in case of a hack.
Companies routinely fail to patch systems for bugs, swap out old passwords and maintain an updated firewall that scans company Internet traffic.
Last year, a major hospital network’s failure to update its computer software allowed hackers to steal 4.5 million patient records.
And the worst problem is a simple one. Companies aren’t regularly testing their computer networks for holes. According to the Verizon report, only 33% of companies did this properly in 2014, even fewer than the previous year.
Why is this happening? It’s all about the tension between conducting smooth business and playing it safe. It’s easier for a company to sell products and please customers if the system is relaxed. But that opens up holes for criminal hackers to get in.
Adding a new feature on the company website might create a pathway into the corporate network. Letting mid-level employees access customer data means that, if any of them open up a malware-laced email, all that data is as good as stolen.
This problem applies to retailers, hospitals and any other company that lets you pay by credit card — anywhere. The Verizon report reviewed companies worldwide.
Verizon also found some pretty lame excuses for the lax security.
One hotel chain thought it was safe because it kept consumer data at a third-party data center, Simonetti said. It didn’t think it mattered that a hired computer server maintenance company had access to those machines. And some call centers don’t see the harm in letting phone operators retrieve consumer credit card data at a caller’s request.
“They should be able to input data. But a hotliner should not be able to retrieve data from customers. You never need to give back credit card numbers to your customers,” Simonetti said.
This kind of lazy behavior could backfire. Verizon found that insurance companies that offer cybersecurity policies are rejecting retailer’s claims “because they have failed to take adequate security measures,” the report said.
By Jose Pagliery