More than 100 million customers were affected when Target, one of America’s largest retailers, became a victim of data breach late last year. Malicious software installed on Target’s point-of-sale devices by cyber attackers stole the financial and personal information of its customers during the often frantic ‘Black Friday’ sales.
Target’s cyber insurance policy would cover a part of the financial damage caused by lawsuits, fines, costs involved in credit monitoring and hiring computer forensics experts, but the retailer will find it very difficult to salvage customer loyalty and rebuild its reputation.
There is no escape from data breach, but businesses can handle the situation much more effectively with the help of a cyber insurance policy.
The cyber criminals managed to upload some malicious point-of-sale software on to Target’s systems and then established a control server within their internal network. This control server acted as the central repository for the data sent by the point-of-sale devices that stored the malicious software.
The attackers logged into the control server from a remote system to collect the personal and financial information of as many as 70 million and 40 million customers, respectively.
According to a sources that are close to the investigation team, when the malware was installed in Target’s POS systems sometime prior to November 27 2013, none of the more than 40 commercial antivirus tools used for scanning malware at virustotal.com, a malware scanning service owned by Google, were able to identify the POS malware.
The sources also noted that the malicious POS software appeared to be identical to BlackPOS, the software code sold on cybercrime forums. According to the BlackPOS author, the size of the POS malware is approximately 207 kilobytes and it bypasses firewall software.
How Is Target Handling the Incident and What Role Has Cyber Insurance Played?
Whilst dealing with the PR nightmare that ensued following the cyber attack, Target CEO Gregg Steinhafel was quick to release a statement to those wanting answers, and indeed their money back as soon as possible.
Target issued an important notice to the customers who shopped between November 27 and December 15 last year, providing information about steps to be taken to protect themselves against potential misuse of their credit/debit card information.
Target has also created a web page that offers resources, responses and daily updates regarding the breach. In addition, Target has said that free credit report monitoring will be made available to the customers whose data was accessed.
Target reportedly had $100 million of cyber insurance in place provided by a panel of several insurers, with a self insured retention of $10 million. Having such a policy in place has assisted Target in effectively responding to the data breach in a number of ways including:
- Hiring the services of a computer forensics investigator and finding out the reason for the occurrence of the breach and as to what data was exposed.
- Hiring an attorney who will be of help in navigating the national and international data privacy laws.
- Sending notification letters to customers who are affected.
- Offering credit monitoring services to customers for a year.
- Setting up a dedicated call center for answering customers’ queries.
- Hiring a public relations company to provide media support services.
- Paying for customer damages due to identity theft.
- Paying defense costs.
Lessons We Have Learnt From The Target Incident
It’s crucial to understand that no business – large or small – is immune to a data breach. The key is to be as prepared as possible, starting with a pre-determined response policy focusing heavily on swift risk assessment and subsequent notification to customers.
The incident most prominently highlighted the importance of the business having a strong cyber insurance policy – essential to any business, to enable the most efficient and least financially damaging response to a data breach. Without the backing of such a policy, the cost of the data breach response would be at that of the business.
It is reported that at current, Target has incurred approximately $88 million in breach-related expenses, with insurance expected to cover $52 million of that cost.
Sadly, data breaches are increasingly becoming more than just a possibility and can easily ruin a business’s reputation and in turn, destroy it financially. All businesses, regardless of size, need to consider cyber insurance as an essential element in their risk management strategy to ensure that their response processes and subsequent pay outs will always be covered. Sending notifications to customers, setting up dedicated call centers, hiring the services of a defense lawyers and computer forensics investigators for example, are all expensive operations.
If businesses have to meet all of these expenses out of their own pockets, they will almost definitely be faced with financial ruin. Businesses should not consider data breach as just a possibility. They should expect it to happen and be prepared to respond quickly.
For further information about how cyber insurance can provide protection for your business, please refer to The Ultimate Guide To Cyber Insurance.