GO
Loading...

'Worst breach in history' puts data-security pressure on retail industry

The Target security breach that may have affected as many as 110 million customers — with their names, mailing addresses, phone numbers and credit card information possibly swiped — ranks as the most extensive corporate data hack ever, experts said on Friday.

"This is the worst breach in history," Ken Stasiak, CEO of SecureState, told NBC News. "It's 2014. We expect retailers of this magnitude to have better security, weigh their risks and spend the resources necessary to secure their data."

Yet without a massive shift towards a credit card technology called EMV that stores data on a chip instead of a magnetic strip, it's likely that data breaches of this size and scale will continue to plague the retail industry, Chester Wisniewski, senior security adviser at Sophos, told NBC News.

Some holiday shoppers had earlier cut up their cards after Target announced on Dec. 19 that some 40 million accounts had been put at risk by a hack that stretched from before Black Friday through mid-December. When the company announced on Friday that 70 million or more people may have been affected, however, the breach soared past prior incidents like the 2007 theft of 45 million credit card numbers from the parent company of TJMaxx and Marshall's.

(Read more: How debit, credit card users can protect their info)

A Target customer prepares to sign a credit card slip.
Getty Images
A Target customer prepares to sign a credit card slip.

Seven years ago, however, these kind of massive hacks were relatively new. The third-largest retailer in the United States should have been more prepared by now, Stasiak said.

"For the sheer volume of data stolen over time, this is new world-record territory for sure," Chris Camejo, director of assessment services for NTT Com Security, told NBC News.

Malware attacks that target a company's point of sale system are becoming more common, Stasiak said, and such a high-profile case could convince other retailers to up their security. There is also the possibility that the U.S. government steps in and imposes its own payment security standards, which today are set entirely by retailers. More small businesses – where the majority of credit card breaches occur – could also commit to payment card industry (PCI) standards that require data encryption, firewalls and other measures.

But stricter standards probably wouldn't prevent massive breaches at big retailers, Wisniewski said, because they usually already have strong security protections in place. (No experts, however, could comment specifically on Target's preparedness for the attack, because the company hasn't shared many details about its privately built payments system).

(Read more: Neiman Marcus:Hackers may have stolen card data)

Due to the degree of difficulty involved, these headline-grabbing hacks are usually custom jobs, Wisniewski said, meaning there are few security solutions that can be applied across the entire industry.

According to Wisniewski, there is only one move that would put an end to these breaches: adopting EMV standards. That means using credit and debit cards that use an encrypted chip instead of a magnetic stripe for more secure transactions. In Australia, similar measures cut the number of fraudulent credit card charges by 29 percent in 2013, according to a report from the Australia Payments Clearing Association.

The U.S. government wants retailers to start making the switch by 2015, but adoption of EMV standards means replacing nearly every payment card terminal in the United States. Smaller merchants are reluctant to foot the bill, Wisniewski said, while banks don't want to issue new EMV cards until it becomes the retail standard.

Still, it's the only thing that would really make a difference, he said.

"With EMV, in other parts of the world, we have never seen more than one credit card compromised at a time, as opposed to 40 million in one go," he said. "It changes the game."

Of course, that won't provide much comfort to Target customers who already had their information stolen. It is unlikely that both data sets stolen from Target were combined and sold together on the black markets that digital thieves prefer, said James Wester, research director of IDC Financial Insights. That is because hackers want to "sell the data as quickly as possible to make a buck," he said.

There might be some silver lining to the massive hack. According to Camejo, experts in the security industry see the sophistication of this latest attack as a sign that criminals are getting desperate.

"Security has been improving, which is why hackers have been resorting to new and novel techniques to steal data," he said. "So we're getting better, but it's still a cat-and-mouse game."

(Read more: Retailers' biggest problem right now? The sale bin)

Multiple experts said consumers aren't more at risk now than they were before — they are probably just more aware of the danger, thanks to the high profile of Target. That could make for savvier shoppers.

"With every data breach that occurs, another avenue for data to be compromised is closed off," Wester said, although he cautioned that the arms race between retailers and criminals will probably never end. "As long as there is payment data that can be stolen, there will be hackers who will try to find a way in."

By Keith Wagstaff of NBC News

Contact Retail

  • CNBC NEWSLETTERS

    Get the best of CNBC in your inbox

    To learn more about how we use your information,
    please read our Privacy Policy.
    › Learn More