By clicking “Check Writers’ Offers”, you agree to our terms of service and privacy policy. We’ll occasionally send you promo and account related email
No need to pay just yet!
About this sample
About this sample
Words: 2216 |
Pages: 5|
12 min read
Published: Apr 11, 2019
Words: 2216|Pages: 5|12 min read
Published: Apr 11, 2019
Organizations spend a tremendous amount of time and money each year to protect their data and the private data of their customers. It is the organizations responsibility to ensure they have cyber-securities in place to protect themselves and the information of their customers. It is also the “job of each of us to protect our own data” as informed consumers. Assigning blame or liability to one party over another is not so cut and dry. There are many factors to consider and investigate before we can say one party is completely responsible over another party for any hacks on their systems. It may very well be that the hackers are just outsmarting businesses and have more sophisticated systems in place than the securities put in place by organizations. Unless there is clear negligence on the part of the organization not maintaining the security systems, not having the minimum required cyber-security systems in place, or having improper controls in place for their employees, then we must be understanding and know that the company and the consumer share in the responsibility of protection which means we all share in the liability.
If an organization can prove they have taken every precaution available to ensure they have removed potential cyber threats and vulnerabilities in order to “safeguarded its customer’s data from attack” (Snider, 27 Dec. 2013) then the organization is not 100% liable for the hacking. “The threat of these attacks has escalated to such a degree that many cyber-security professionals will admit it is almost impossible to prevent them 100% of the time” (Navetta, 23 May 2011). Just as an organization must have protection in place so must consumers. There are many companies, such as LifeLock, that guarantee an individual’s personal information from an identity theft attack. Consumers should bank with a credit card company that monitors fraudulent activity. Also, they should monitor their credit reports annually to ensure there is no fraudulent activity. If a consumer is not willing to assist in protecting themselves they should operate on a cash basis only. Additionally if consumers want the organizations to be 100% liable they must realize there are costs associated with that. Companies would have to spend more for these securities and would ultimately pass this cost on to their customers.
Consumers that want to operate using credit or debit cards should make sure when making purchases online that the websites they are using are secure and use encryption technology. This will help protect their private data. For companies the law “requires organizations to use security controls to protect customers’ private date” . Therefore, if an organization has the proper protection in place, or better protection, and the consumer has taken precautions to protect their private data each party should be confident that there is enough protection in place. However, we must understand that being on the web means being vulnerable. There are systems in place that can track every keystroke used, every phone call made from a cell phone, every text message sent and received, and many more things. There are many risks that come along with this technology world we live in. It is almost impossible to live in today’s society and not be faced with that risk. Therefore, both businesses and consumers must understand the risks, do everything possible to mitigate the risk, and share in the protection and liability of these risks.
In February 2014 Neiman Marcus Group’s credit card payment system was hacked. The hackers “set off alerts on the company’s security systems about 60,000 times as they slunk through the network” (Elgin, 24 February 2014). The hackers had access to Neiman Marcus’ computers for more than eight months. This sent off “hundreds of alerts daily because their card stealing software was deleted automatically each day from the Dallas based retailer’s payment registers and had to be constantly reloaded” (Elgin, 24 February 2014). The hackers were so clever they named their hacking software a name similar to the Neiman Marcus’ payment software. This is why it went unnoticed by routine reviews of Neiman Marcus’ security team. An investigation found that “Neiman Marcus was in compliance with standards meant to protect transaction data when the attack occurred” (Elgin, 24 February 2014). It is believed that less than 350,000 customer credit card information was compromised and that “approximately 9,200 of those have been used fraudulently since the attack” (Elgin, 24 February 2014). Although they were in compliance with the standard required protection, there was negligence on the part of Neiman Marcus security team. The hackers were in their system for more than eight months without being detected, even though there were hundreds of alerts going off daily. Security professionals should have questioned why these alerts were happening and noticed new software, even if the name was similar to theirs, quicker than the eight months it took. In this instance Neiman Marcus should be held liable for any losses sustained by their customers.
Between May 8, 2013 and January 27, 2014 various Michaels stores were hacked and 2.6 million customer’s data information was exposed during this attack. Credit card and debit card numbers as well as expiration dates on these cards were believed to be compromised. The hacking attacked and “invaded its point-of-sale system” (Harris, 18 April 2014). This attack was similar to the attacks at Target and Neiman Marcus and, “were believed to be committed by a loose band of criminals in Eastern Europe” (Harris, 18 April 2014). Michaels was able to identify the exact store locations that were attacked and what time it happened. As of this reporting only a limited number of the cards have been used fraudulently. There was also a hacking at one of Michaels subsidiary companies, Aaron Brothers. The breach at Aaron Brothers impacted roughly 400,000 customers and it was also an attack at the point-of-sale. Michaels reported that the hackers used a highly sophisticated malware that went undetected for months. This malware would siphon data from customer’s credit and debit cards when they were swiped at the cash registers. Unfortunately, this was not Michaels first attack. Their first hacking occurred in 2011 and it was identical to the type of attack that occurred in 2013 - 2014. Michaels is negligent in the 2013 -2014 hacking because after the 2011 hacking they did nothing more to provide additional protection of their systems. The fact that they were exposed once and did nothing to further protect their systems or their customers leaves them with 100% of the liability for the second breach.
In October 2014 Dairy Queen announced they discovered malicious software at the point-of-sale. “Hackers used “backoff” malware to track and record transactions in register machines” (Stone, 10 October 2014). This breach affected 395 of more than 4,500 Dairy Queen locations throughout the United States. Customer’s names, credit card and debit card numbers, and expiration dates were compromised. The malware was detected in 46 stated that have Dairy Queen Restaurants. This type of malicious malware at the point-of-sale is also how hackers were able to hack into Neiman Marcus, Michaels, Home Depot, and Target. “The U.S. Department of Homeland Security and the U.S. Secret Service released a security report warning that “backoff” was capable of “scraping memory for track data, logging keystrokes, command and control communication and injecting malicious stub into explorer.exe” (Stone, 10 October 2014). Officials believe this type of hacking has become popular for hackers because the current antivirus software programs in place at many retailers cannot detect this specific malware and because one point-of-sale attack can give hackers more than tens of thousands of consumer data. Many of the Dairy Queen stores are franchises. There are no required standard data breach protocols from Dairy Queen Headquarters to their franchisees. As stated by Adam Levin of Credit.com and Identity Theft 911, “it is quite worrisome to me that a major national franchiser would not, among its myriad rules of conduct and practice for franchisees, require franchisees to follow standard data breach protocols in order to protect customers, franchisees and the goodwill of the mother-ship” (Sullivan, 27 August 2014). Based on the fact that there were no standards to protect customers, Dairy Queen is negligent and should be liable for losses sustained by customers.
Neiman Marcus’ president and CEO, Karen Katz offered a statement that said, “We have taken steps to notify those affected customers for whom we have contact information. We aim to protect your personal and financial information. We want you always to feel confident shopping at Neiman Marcus, and your trust in us is our absolute priority” (Albanesius, 17 January 2014). Neiman Marcus contained the intrusion, removed the malware, and took steps to farther secure their information systems. Along with apologizing for the attack, they reported that, “the security of our customers’ information is always a priority and we sincerely regret any inconvenience” (Mohney, 11 January 2014). After the attack at Neiman Marcus the company spent “$4.1 million so far in legal fees, investigations, customer communications and credit monitoring subscriptions” (Murphy, 25 March 2014). Each customer was offered one year free credit monitoring. They are currently working with the Secret Service to bring the criminals to justice. Although Neiman Marcus has taken all these steps, Katz urges their customers to be watchful for any suspicious activity they may notice on their credit card statements or reports. Neiman Marcus taking steps to further secure their systems, offering credit monitoring to their customers, and apologizing for the compromise demonstrates they recognized the lack of controls in their system and have taken responsibility for the hacking.
Like many other organizations that have been hacked Michaels offered an apology for any inconvenience and problems the hacking may cause their customers. They “also offered customers twelve months of identity protections, credit monitoring and fraud assistance services” (Gordover, 11 December 2014). The CEO at Michaels made the following statement, “In an era where very sophisticated and determined criminals have proven capable of successfully attacking a wide range of computer networks, we must all increase our level of vigilance” (Harris, 18 April 2014). This is surprising given this is their second attack in three years. Just like many other businesses they took steps to apologize and offer some credit monitoring protection for their customers. They never reported whether they put additional securities in place for their systems. So although they stepped up and offers some credit monitoring services it is unclear if they made improvements to prevent this from happening again.
Dairy Queen repeatedly denied the hacking happened. It was only after many reports that credit cards used at a Dairy Queen Restaurants were compromised did they admit the hacking took place. In a statement they claimed a limited number of cards are affected and they were continuing to gather data. However, the threat was contained and the malware problem has been fixed. The company apologized saying, “We deeply regret any inconvenience this incident may cause” (Stone, 10 October 2001). The company offered “free identity repair services for one year to affected customers and franchise owners” (Dockterman, 9 October 2014) provided by AllClear ID. Their president and CEO said “Our customers continue to be our top priority” (Dockterman, 9 October 2014). At first Dairy Queen was not taking responsibility for the hacking. Only under continued pressure did they admit the hacking took place and they took steps to apologize and offer credit repair services. They claimed to have also resolved their system issues. Ultimately they recognized they were liable and took steps to rectify the problem.
There is one main thing that all firms could do differently; we learned this from Neiman Marcus, “pay attention to alarms” (Murphy, 25 March 2014). As mentioned above, the hackers set off the company alarms 60,000 times. “On some days, hundreds of alerts were tripped because the card-stealing software was automatically deleted from the payment registers and had to be reloaded” (Murphy, 25 March 2014). Paying closer attention to alarms could alert an organization that there is a breach of security.
All organization must stay up to date with the newest cyber protection available. If Michaels had introduced more robust protection the 2014 attack may not have happened. Had Michaels “improved security and accountability” (Gordover, 11 December 2014) after the 2011 attack this would have “allowed the company’s VAR’s, MSPs, and remote IT support teams to watch over server activity and be alerted in real-time to sensitive or suspicious user actions” (Gordover, 11 December 2014). This would have given them the tools necessary to detect suspicious activity immediately.
“Eager to keep a widespread theft from happening again, retailers and trade groups have been calling for a swift transition to a payment card technology, widely used in Europe and considered more secure, called EMV, which relies on a small chip embedded in each card rather than a magnetic strip” (Harris, 18 April 2014). Although this is becoming more common in the United States, it has been a slow process. Many organizations could also introduce intrusion prevention systems (IPSs). This would monitor network traffic and detect any intrusions.
Finally consumers must be on the alert. These attacks are not slowing down. Consumers must do everything to protect their personal data and continue to review their credit reports for suspicious activity. These things will ensure the organizations and consumers are protected against hackers.
Browse our vast selection of original essay samples, each expertly formatted and styled