2013 was a big year for mega-breaches, and unfortunately it's getting bigger. While you may have been shocked by the 40 million confirmed accounts breached by the Target hack, it appears both that the breach was underestimate and that they were not the only retailers affected.
While 40 million Target shopper credit card numbers were stolen over the holiday season, the retailer is also acknowledging that the names, mailing addresses, phone numbers and email addresses of at least 70 million customers were also stolen. Most breaches take weeks or months to discover, and it's possible that the thorough forensic investigations now being undertaken by Target have resulted in the (possibly earlier) detection of this second breach.
Target is doing its best to recover from the situation and the negative outcomes of such a breach, offering free credit monitoring and the dedication of $5 million to a volition to help educate the public on the dangers of scams. Full details here.
Retailer Neiman Marcus has also announced it was breached by hackers as far back as July, though the breach was not fully contained until this January, six months later. The company disclosed the theft of customer information this January, saying they were first aware of suspicious activity (cards used fraudulently after being used in-store) in mid-December.
There is some speculation that both hacks are related to the same point-of-sale malware, "BlackPOS", and that several more retailers have been affected but are delaying in their disclosures. Others speculate that more BlackPOS-related hacks will be discovered.
These two major hacks, and possibly others, are bringing to light discussions on the importance of data breach notifications - the details, the timeliness, balancing investigations vs consumer rights - as well as the need for greater data loss prevention (DLP) tools to get a better handle on data in use, in motion or at rest in order to both prevent and detect data breaches.
What are your thoughts on disclosing data breaches? Do you advocate for completing investigations first or on notifying customers as soon as possible?