- Claims & Risk Management,Property & Casualty
- No comments
We have all heard about the massive data breach suffered by Target. What does that have to do with being a contractor?
What happened?
Cyber security is a dangerous and dynamic risk that many businesses face. There are security protocols in place by the government, insurance available to mitigate such an exposure, and countless ways control this loss from inside the business. This has all been geared toward larger firms until recently when it became painfully evident that even smaller contractors are at risk.
Utilizing access credentials from a third-party HVAC contractor called Fazio Mechanical; intruders uploaded a virus capable of stealing debit and credit card information from Target’s point of sale devices. The intruders used the time between Thanksgiving and Black Friday of this past year to make sure their Point-of-sale Malware was working as designed. Just two days later the malware infected most of the Target’s point-of-service devices. Target reported the breach exposed some 40 million debit and credit card accounts between November 27 and December 15, 2013. The information stolen was offloaded to several “drop” locations, which were essentially compromised computers that could be safely accessed by perpetrators in Eastern Europe and Russia. No company using internet services is immune to such an infection.
The Repercussions
Although it remains unclear why Target would grant external network access to the HVAC contractor, this unfortunate event is a clear message that any business conducting their operations over the internet are subject to massive security breaches. It’s been reported that granting this access makes it easier for contractors to conduct their day to day maintenance and surveys to keep stores running properly or troubleshoot minor issues without interrupting Target’s operations. Fazio made the public statement that their virtual connection with Target was strictly for billing purposes and that Target was their only customer using electronic billing/submission services (meaning that no other companies they conduct business with is impacted by this breach.)
A fraud analyst reported the following: Although current standards do not require organizations to maintain separate networks for payment and non-payment operations, it does require merchants to incorporate two-factor authentication for remote network access originating from outside the network. In other words, Target needed more secure access points for all personnel and third parties for activities. They now are responsible for legal fees and credit monitoring for those tens of millions of customers impacted by the breach. The same fraud analyst estimates that Target could face almost $420 million in loses (including things like payment to banks) to reimburse for reissuing millions of cards, fines with non-compliance, and legal fees/credit monitoring for millions of customers impacted by the breach. Target may be able to cover some costs through insurance claims, but it won’t cover it all. It is probably safe to say that there will be litigation between Target and Fazio. To add insult to injury, Target stated that upgrading their card security services could cost up to $100 million dollars.
The Message to You
This horrible situation could happen to any business using the internet to store confidential data, or to interact with GC’s, Owners, etc. This awful event is an example of just how dangerous cyber breaches can be and how easy it is to obtain financial information. What is agonizingly clear is that hackers aren’t just exploiting large corporations’ networks. Although Fazio was only granted limited access, its poor cyber security presented the perfect opportunity for the intruders. The only way to effectively manage this risk is through careful planning and preparation. Companies need to be more aware of the size of the virtual target on their backs and proactively work to shrink it. There were only 40 million people affected by this breach; however this number could grow exponentially if businesses of any size utilizing online services aren’t more careful with this confidential information.
There is some insurance coverage available for this type risk. There is not a standard policy form, so be careful what you purchase. Ultimately, as with anything, the best insurance is proper preparation.
Further Reading
- http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
- http://www.darkreading.com/attacks-and-breaches/target-breach-hvac-contractor-systems-investigated/d/d-id/1113728