Tens of millions of Americans were recently exposed to a rude shock: theft of their credit card numbers, names and, in some cases, phone numbers and e-mail addresses. They were simply shopping at Target stores and had no idea that when they swiped a credit card at the cash register, they turned over private information to thieves.
This ought not be viewed as just another bad shopping day in the digital age. The massive Target data breach and ones like it at other stores are warnings of a persistent and deepening cybertheft problem that needs to be confronted. Computer networks are vital to American capitalism and society, but they remain surprisingly vulnerable to thieves and hijackers. Law enforcement does not have the resources to stop them; the private sector is growing more aware but remains exposed and complacent; and Congress has yet to find a consensus.
In the past several years, Congress debated cybersecurity bills that would have made it easier for the government and private sector to cooperate. The legislation died, in part because of opposition by some in the business community who called the requirements too intrusive or burdensome. When Congress failed to act, President Obama issued an executive order to improve the sharing of information between government and the private sector. This was a good first step, but it was not enough.
Not long ago, there was debate about whether the National Security Agency, which has developed cybertools to protect U.S. military networks, ought to partner with the private sector in fending off cyberthieves and espionage. Revelations about NSA surveillance have reduced the political viability of that option, at least for a time.
The Target breach appears to be one of the largest retail data thefts ever carried out. It is still under investigation, but apparently the thieves used malware written by a Russian teenager that scraped the data from card readers in the stores. Most of the time such information is encrypted, but there is a fraction of a second when the credit card data are in the clear and in the system's memory. That's when the information was stolen. Target has said the intruders may have taken credit and debit card data from 40 million holders and compromised the personal information of 70 million others, including names, mailing addresses, e-mail addresses and phone numbers. If thieves had come up to customers at Target and physically wrested this many credit cards out of their hands, there would have been an uproar. But the data breach unfolded silently between Nov. 27 and Dec. 15. The victims did not know it was happening. Target says that customers have zero liability for fraudulent charges, but the loss of their personal data is likely to leave many people feeling ripped off and angry.
Credit cards with chips that encrypt data would help, but they are not yet in wide use in the United States. More broadly, Congress must now get serious about cybersecurity. The private sector has much at stake but may not be able to cope on its own. And it is not just businesses that are under threat. Already, millions of consumers are paying the price of inaction.