By any standard, the hacking of Target, Neiman Marcus and other retailers over the holiday shopping season was epic in scope. From Target alone, attackers armed with malware managed to steal financial and personal data on tens of millions of customers.
Most analysts and news outlets blamed the breach on the security of Target’s Windows-based Point-of-Sale systems; over at Krebs on Security, Brian Krebs cited unnamed sources as telling him that the Target attackers compromised a company Web server and used that entry point to upload malware to the POS hardware, before setting up a control node within Target’s internal network. “The bad guys were logging in remotely to that [control server], and apparently had persistent access to it… They basically had to keep going in and manually collecting the dumps,” one of those sources told the Website.
Given the increasing sophistication of hackers and their tools, more retailers will surely face security breaches in months and years to come. That places enormous pressure on those retailers’ security arms (whether internal or subcontracted) to discover and eliminate potential vulnerabilities—a job made harder by the hairball of outdated software, lax security procedures, and heterogeneous environments that pass for many corporations’ backend IT infrastructure. With another large-scale breach, not a question of “if” so much as “when.”
Although massive data thefts could harm retailers’ sales in the short term, it’s unlikely that millions of people will ever stop shopping at Target and similar franchises. Nor will customers spontaneously switch from using credit- and debit-cards to cash—there are bonus miles and cash-back to be earned, after all, not to mention debt to manage. With enough highly publicized breaches, however, customers could become more reluctant to voluntarily give their personal information in response to in-store surveys (“How often do you shop here?”) and online questionnaires (“Rate this product or service!”), fearing that it could ultimately end up in the hands of hackers halfway around the world—which in turn could degrade the quality of the data that retailers use for their insanely complicated analytics dashboards. Hacking may also compel significant groups of consumers to jump between retail brands, preventing any one of them from building up large amounts of personal data.
In other words, given enough hacks injecting enough paranoia into the system over the long term, retail analytics could begin to slowly but surely degrade to the point where it becomes more difficult for those companies to gain insights into consumer behavior. In a world where those insights are increasingly necessary—just look at what Amazon’s thinking about with its patent on “anticipatory” shipping—that could prove bad news for retailers (although maybe not worse than massive leakages of financial data).