Experts: Expect more breaches during holiday season

November 20, 2014

NEW YORK (11/21/14)--It's probably the last thing credit unions--which have been saddled with millions of dollars in costs as a result of recent mega-retailer data breaches--want to hear, but many experts are forecasting a new round of cyberattacks on payment data held by merchants this holiday season. 

"It's just a matter of when they're going to get hacked, not if," Robert Twitchell, president/CEO of the cybersecurity firm Dispersive Technologies, which serves as a consultant to the U.S. Department of Defense in its war against cybercrime, told the International Business Times (Nov. 18).

"It would be a surprise if it doesn't happen again," added John Rose, Boston Consulting Group's global leader. "The cyberattack community is equally aware of the importance of the holiday season, and they've been working on things for a while, so you're going to see an intensity of effort."

Unwelcome news compounded by the fact that merchants continue to operate under payment data security standards that don't match the strict standards financial institutions are required to meet.

Twitchell said that merchants may spend more on safeguarding payment data than in the past, but it still may not be enough to ward off cybercriminals.

"IT organizations have paid attention only to the ABCs of hacking," Twitchell said. "They're adhering to PCI compliance, a government standard of basic security, but the standard hasn't kept up with innovation."

And Twitchell isn't the only one worried about payment security at merchant stores.

Brian Krebs from, a cybercrime blog, said that he expects a new major breach will surface in only the next few weeks.

"The retail industry is just the lowest of the low-hanging fruit when it comes to cybersecurity," he said on "CBS This Morning."

Retailer security performance continues to decline as well, according to the security benchmarking firm BitSight ( Nov. 18), especially for those who have yet to come under attack.  

While a number of retailers that have been hit with breaches have seen improvements in security performance, BitSight found that 58% of the 300 merchants it polled recently had experienced a 90-point decline in performance over the first three quarters of 2014 on a scale that runs from 250 points to 900.

The Credit Union National Association has been on the forefront of the effort to press lawmakers on the issue of unequal payment data security requirements between financial institutions and merchants.

Credit unions nationwide suffered $57 million in costs related to the recent Home Depot data breach, including card reissuances and other fraud-related costs, after getting hit with $30 million in costs from the breach that occurred at Target stores last holiday season.

Meanwhile, the stakes for those that hold sensitive consumer payment data continue to rise. So far this year, 644 breaches have been reported, a 25.3% increase from last year, according to Theft Resource Center ( Nov. 19).

Further, Federal agencies have warned businesses in the United States that hackers are becoming more sophisticated and organized, and even the Chinese government has been sponsoring cyberattacks in search of patented technologies, according to the International Business Times.

The attacks will also continue to evolve, it appears, as Trend Micro predicts that data breaches will migrate to mobile devices carrying personal payment data next year, according to

"In 2015, we expect attackers to hack smart device-markers' databases to steal information," Trend Micro reported.

The company also said that a more diverse range of targets will come under fire from cybercriminals, but that personal financial information will continue to be the most hunted data.

Stop the Data Breaches

Identity Theft: Who’s Got Your Number? electronic member seminar kit

Anytime Adviser ID Theft coach

Lock Down Your Smartphone drive-up envelope

Stickley on Security

Awareness Technologies/CUNA Strategic Services

DH Compushare/CUNA Strategic Services

SilverSky/CUNA Strategic Services

TraceSecurity/CUNA Strategic Services