Computer security hacks at Target, Michaels and other large retailers are leading small businesses in the Pikes Peak region to evaluate the risks involving their own cybersecurity measures. Consumers are also concerned about the risk to their privacy after the retail attacks and revelations about their vulnerabilities to the security bug, dubbed Heartbleed.
Target Corp. stores were the subject of a massive data breach during the 2013 holiday shopping season. As many as 110 million credit and debit cards, emails and mailing addresses were stolen from the company's point of sale system, according to a corporate statement in January. Information from three million cards was stolen from Michaels Stores and its Aaron Brothers subsidiary.
According to the Consumer Bankers Association, banks and credit unions have spent more than $200 million to replace debit and credit cards related to the Target breach alone. “Financial institutions of all sizes have been aggressive in ensuring their customers are protected in response to the Target data breach,” said Richard Hunt, president of the Credit Union National Association, in a February press release.
Target Corp. saw its fourth quarter 2013 profit decrease more than 46 percent. The retailer is also still the subject of investigations and lawsuits by consumer organizations and banking institutions.
Credit card companies encourage small business owners who accept credit and debit cards to increase security measures by offering discounts on swipe fees to the business. “If we have the address with Zip code and the CVV code, there is more security for the customer and less expense for our business,” said Amber Mustain, owner of Twigs and Posies florist in Colorado Springs. The CVV, or card verification value, is the three-digit code on the back of credit cards. The CVV was introduced in 1997 to help provide additional security for credit card transactions.
Systems such as Square, which allows smartphone users to swipe credit cards to collect payments for organizations and small business transactions, claims to help secure transactions by never allowing unencrypted card information to reach the user's phone, according to the company's security documents.
The Heartbleed bug, discovered in March and announced in April, affected many websites using the OpenSSL web security system. The leak allows attackers to obtain secret keys, user names, passwords, instant messages, emails and critical business documents, according to the http://heartbleed.com site run by Codenomicon, one of the organizations that discovered the issue, along with Google.
Sites impacted by Heartbleed include nearly all social media sites, including Facebook, Google+ and Pinterest. Most banks were unaffected, but Dropbox and TurboTax, where many users post financial information, were impacted, according to a LWG Digital Forensics report. The federal government announced April 19 that the HealthCare.gov site and other federal sites, including the WhiteHouse.gov online petitions page, were vulnerable.
Small businesses are seeing the Heartbleed bug as less of a threat to their own operations, affecting them only as consumers. “My son has pinged out over it, but no one else I've talked to has said anything,” said Brian Swanson, co-owner of LnB Connectors, a Falcon-based business consulting company.
According to a quote by Joseph Steinberg, CEO of SecureMySocial, in the April 10 issue of Forbes Magazine, national and international companies are more concerned.
“Some might argue this is the worst vulnerability found since commercial traffic began to flow on the Internet,” Steinberg said.
The Department of Homeland Security recommends that users change their passwords on affected sites after the site confirms it has taken the necessary patch steps, starting with the sites that contain the most sensitive personal information. DHS offers more information and tips about Heartbleed and other vulnerabilities at http://dhs.gov/stopthinkconnect.