Target, eBay, Michaels Stores, Neiman Marcus, P.F. Chang's and SuperValu — the parent of Shoppers Food & Pharmacy. It reads like a who's who of American retail and dining, but it's also a list of companies that lost customer data to cyberattacks in the past year.
Data thieves are striking with alarming frequency and, more and more, security experts say, they target the places where people shop.
The swipe of a credit card, the wave of a mobile phone at Starbucks, logging into retailers' sites via Wi-Fi — increased connectivity, from mobile devices to cloud computing, has opened the door wide for cybercriminals.
Reports of data breaches, relatively rare even five years ago, now crop up constantly. Cyberattacks are growing in size, too, with tens of millions of consumers potentially facing the prospect having their identities or credit or debit card account information stolen. One breach of 100 million records or more has been reported in each of the last four quarters, according to SafeNet, a data security company based in Belcamp in Harford County.
"People connect from everything to everywhere, and there's no perimeter anymore," said Tsion Gonen, SafeNet's chief strategy officer.
Criminals target retailers because they have access to vast quantities of sensitive information, such as credit card data, through both online and in-store payment systems.
"It's incredibly pervasive and almost unfair to single out specific retailers, because it's just so pervasive," Avivah Litan, a security analyst at technology research firm Gartner. "Some of them are disclosed and a lot of them aren't. Some don't even know they are breached. It's an epidemic."
Through July this year, more than 385 million customer data records were stolen worldwide. Nearly 40 percent of all records stolen came from retailers, who were harder hit than the financial, technology, government and health care industries. (Though this week, JPMorgan Chase & Co., one of the nation's largest financial institutions, said its sophisticated threat-detection system missed a huge breach of its systems, resulting in the loss of customer data this summer.)
During the first half of the year, retail breaches nearly tripled to more than 150 million records stolen compared with the first half of 2013, according to SafeNet, which tracks cases through its Breach Level Index — a database of breaches that calculates their severity.
Cybertheft is often difficult to trace and perpetrators can be nearly impossible to locate — especially outside the United States. And the underground market for stolen credit card information is thriving, Gonen said.
The average consumer hears about a big retail breach and assumes the company failed to protect itself, Gonen said. But that's not necessarily true.
"Everybody gets hacked," or has the potential to be victimized, he said, including "people who customers trust and data is their business."
In May, eBay announced that 145 million customer accounts were exposed by hackers. In April, Michaels Stores reported that credit card information for 2.6 million customers may have been stolen over a period of months starting last year. In January, Neiman Marcus confirmed that 1.1 million customers' card information was stolen.
Just this month, P.F. Chang's, SuperValu and UPS Stores reported data breaches. P.F. Chang's, an Asian-inspired restaurant chain, said it lost an unknown number of records from 33 locations, including one on East Pratt Street in Baltimore, between April and June. UPS said 51 stores in 24 states were breached, including one in Calvert County.
The SuperValu breach affected an unknown number of customers at 180 stores, including 20 Baltimore-area Shoppers Food stores. SuperValu said its breach occurred in the computer network that processes payment cards at some stores, where account numbers, expiration dates and/or cardholder names could have been stolen.
Consumers may not be able prevent credit or debit card fraud, but they can take steps to protect themselves and minimize damage, the Federal Trade Commission says. Shoppers should save receipts to compare to statements, review bills online right away or often, and report any questionable charges to the card issuer, the FTC suggests. Retailers that get hacked typically offer free credit monitoring services to their customers.
Companies that are breached often hire security firms to investigate and contain the breach to allow shoppers to continue using their cards.
One of the largest breaches in history occurred in November and December at Target, where the payment card data of 40 million shoppers and personal data of 70 million shoppers were stolen.
John Mulligan, Target's chief financial officer, told a U.S. Senate committee in March that the company believes "intruders" obtained an HVAC vendor's credentials and somehow moved into the retailer's network to place malware on point-of-sale registers. The software apparently captured payment card data from the magnetic strip of credit and debit cards before they were encrypted within the system, Mulligan said.
Target later found that levels of fraud were less than expected. During testimony to the Senate Commerce, Science and Transportation Committee, Mulligan said the Target-branded REDcard had only a 0.1 percent increase in fraud after the breach.