By Jim Daly
n
The number of credit and debit cards compromised in 2013’s data breaches was on track by mid-December to be more than double the number of cards compromised in 2012, but then along came Target Corp.’s massive breach that exposed 40 million more. Thus, the Identity Theft Resource Center now estimates that 96 breaches compromised 46.5 million cards last year versus 68 breaches that compromised 2.63 million cards in 2012.
n
The ITRC is a San Diego-based nonprofit that tracks breaches of payment cards and records involving businesses, financial institutions, government and the military, and educational and medical entities. In total, the organization estimates 619 breaches exposed 57.9 million records last year.
n
Of course, calculating the number of records compromised in data breaches is more art than science because many breaches never become known publicly. Some 46 states now have data-breach reporting laws and Kentucky is considering one, but thresholds for disclosure and the level of detail they require vary widely, according to ITRC program director Karen Barney. “We all know there are a lot of breaches out there that are un- and under-reported,” says Barney. The ITRC compiles its data from media reports, state and federal governmental entities, and other sources.
n
Target’s breach was by far the biggest in the card category last year, accounting for 86% of the known cards compromised. (Target also says the breach affected non-card data on 70 million customers.) Other notable card breaches disclosed in 2013 included one at St. Louis-based grocery-store chain Schnuck Markets Inc. that compromised 2.4 million cards. A breach of JPMorgan Chase & Co.’s UCard program, which provides prepaid cards for consumers served by Chase’s government and corporate clients, compromised an estimated 465,000 cards.
n
Hospitals, clinics and other medical entities had the most breaches of the five major institutional categories into which the ITRC sorts its data—267 breaches that exposed 4.66 million records. Barney says more has become known about medical breaches in recent years because federal law now requires greater reporting.
n
Late Tuesday, the National Retail Federation fired the latest salvo in the post-Target war of words between merchants and financial institutions over why the U.S. continues to use magnetic-stripe payment cards when most of the industrialized world has switched to more secure Europay-MasterCard-Visa chip cards. In a letter to House and Senate leaders, the Washington, D.C.-based NRF said it supports chip-and-PIN cards as replacements for mag-stripe cards, and that it also wants a federal cyber-security law in addition to a federal breach-notification law to replace the hodgepodge of state laws. But the trade group wants banks and credit unions to pump out more chip cards.
n
“For years, banks have continued to issue fraud-prone magnetic-stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation ‘PIN-and-chip” card technology for customers in Europe and dozens of other markets,” the NRF said. “The retail industry is eager to work with banks and card companies to fight cyber attacks and reduce fraud … only by working together will consumers’ financial data be protected from criminals.”
n
Meanwhile, Target on Monday notified Canadians who shopped in U.S. stores between Nov. 27 and Dec. 15 to warn them that their personal information may have been compromised in the breach, according to Toronto Globe and Mail. Target, however, said the compromised data did not include card information. Target also said its Canadian locations were not affected by the breach because they use a different point-of-sale system than the U.S. stores. Target opened its first store in Canada only last March and by year’s end had 124 stores in 10 provinces.
n
In a related development, authorities in McAllen, Texas, arrested two residents of Monterrey, Mexico, as they tried to enter the U.S. on Sunday while allegedly carrying 90 fraudulent credit cards linked to the Target reach, according to press reports. Police later seized 22 more cards. A Texas police chief believes fraudsters are selling Target card data in regionally-based sets.