Wage hike costs workers Biden should listen Get the latest views Submit a column
OPINION

2 stores, 100M hacks. Where's cybersecurity? Our view

The Editorial Board
USATODAY
Attack on Home Depot’s payment data goes as far back as April.

Here we go again. Almost a year ago, big-box retailers got a huge wake-up call when hackers broke into Target's computer systems and stole 40 million customer credit and debit card numbers. Now, Home Depot has lost up to 60 million card numbersto cyberthieves.

Not only is the number bigger this time, the Home Depot attack went on for five months before it was discovered; the Target attack was discovered after about three weeks. Things are getting worse, not better, and news of the Home Depot debacle came just as several celebrities' nude photos were hacked from their iCloud accounts and posted on the Web.

You'd be excused for thinking that U.S. companies are overmatched in fighting hackers, many of whom operate out of Russia and Eastern Europe.

The companies are making the usual excuses about how hard it is to secure data from determined attackers, and that's valid to a point. Running a secure system, while keeping it open to customers and vendors, is difficult.

Even so, consumers deserve better than excuses, particularly when companies are saving huge amounts in postage and printing by urging everyone to "go paperless." Many companies still don't take safeguarding their customers' financial information seriously enough to invest heavily in solving the problem, or even to simply pay attention.

A Bloomberg/BusinessWeek analysis revealed that Target had installed a sophisticated anti-theft system but inexplicably ignored alarms after the system detected malware.

And according to the security blog Krebs on Security, which revealed the Home Deport attack, the cyberthieves who hit the company used a variant of the same malware.

The problem is enormous. Larry Ponemon, chairman of the cybersecurity think tank Ponemon Institute, says his firm estimates that 47% of adult Americans have been exposed to one or more security breaches. True, customers are protected against fraudulent charges on their credit cards. But, to cover fraud, they pay a little more for everything.

Customers have to get replacement cards and reset auto-pay accounts. Debit cards still lack the full legal protection that comes with credit cards, so bank accounts can take a hit. And research shows that consumers whose credit cards are stolen are at higher risk for identity theft.

What to do? Anti-fraud credit cards with embedded chips might be coming next year — 20 years after they went into widespread use in Europe.

Consumers could help by shunning chains with poor cybersecurity, but how can you tell which retailer is a patsy until it gets attacked?

The government might help by applying the "stress test" concept it uses to probe banks for weakness. Or perhaps the industry could adopt the sort of self-policing the nuclear power industry uses to detect and shame utilities with lax operations.

Whatever the responses, customers who entrust companies with their sensitive financial data (or even their selfies) deserve a lot better than the sort of "security" they've been getting lately from big retailers.

USA TODAY's editorial opinions are decided by its Editorial Board, separate from the news staff. Most editorials are coupled with an opposing view — a unique USA TODAY feature.

Featured Weekly Ad