The Target Security Breach in Context

NEW YORK (TheStreet) -- So what happened at Target  (TGT), and how much trouble are we in?

Target shares came under pressure after the company announced a security breach that exposed up to 40 million card numbers to thieves between Thanksgiving and last Sunday.

The stolen data included customer names, card numbers, expiration dates and the Card Verification Value (CVV), a three-or-four digit code often used to verify a card's legitimacy.

These data are sometimes called "track data" within the industry. They are encoded in the magnetic stripe on the back of the card. The CVV acts as a "checksum" on the other numbers, allowing encrypted data to be read.

These data are supposed to be scrubbed from systems as soon as a transaction is processed, according to rules set by large processors such as Visa  (V), rules that are updated regularly.

Because this leak did not affect the company's Web store, the hackers probably broke into a data line running from the stores to Target, from someone collecting transactions for Target to Target, or from Target to its own card processors.

This is the biggest retail card breach since TJX Companies (TJX) lost an estimated $256 million after 45 million accounts were compromised in late 2006 through insecure WiFi and insecure storage of data. 

TJX stock weathered the 2007 breach well, something investors selling Target today might want to consider. The shares are up more than threefold since the breach was reported, and that includes a sharp fall during the Great Recession.

Shares in other companies suffering breaches, including processors Heartland Payment Systems  (HPY) and Global Payments  (GPN), have also recovered from where they were when those incidents happened. Heartland recently hit an all-time high. 

Since card processing has been going on for decades, many of the systems being used are based on IBM  (IBM) mainframes. Some use custom programming and languages such as Cobol that younger programmers may not know. The whole field is complicated, specialized and focused on meeting regulations that constantly raise the security bar.

Another way to improve security is through so-called "chip and PIN" cards, which include a data-filled chip rather than a simple magnetic stripe. They are now being rolled out through cards often used for European travel, including the American Express  (AXP) Platinum card. 

These cards are also easier to use in Europe, as they don't always require a signature, simply a four-digit PIN code like those used on debit cards in the U.S. The new cards hold more data, making them harder to counterfeit. They're not a complete solution, but they are a big step forward.

Of greater concern to security experts such as Brian Krebs of Krebs On Security is that "normal" business software, such as Oracle's (ORCL) Java is now making its way into the payments industry, and such software is notoriously buggy.

Krebs wrote recently that if a company such as Oracle were to pay a $150,000 bounty for each security bug found in its software, that would come to less than 0.2% of its annual revenues. Some 427 such bugs were found last year.

Stefan Frei of NSS Labs has proposed that such bugs be reported to local centers on major continents, analyzed randomly by a "qualification center" coordinated by the software vendors, resulting in a crowdsourced system for finding bugs that would be more generous to programmers than selling the bugs to hackers.

Although many software companies do offer bug bounties, they pay less than what private "vulnerability brokers" do, and the software companies might have to be nudged by government into raising their payments and creating the infrastructure needed to manage them.

Even if all commercial software were patched, however, the annual Verizon Data Breach Investigations Report shows that most breaches result from weak or stolen credentials held by workers, by social engineering aimed at getting those credentials and by poorly-configured servers or Web applications.

If you really want to make money on cybersecurity, your best bet might be to buy a stock such as Fireeye  (FEYE), which went public in September; or Barracuda Networks  (CUDA), which went public about a year ago. Checkpoint  (CHKP) is also up almost 30% this year, proof you can make money on crime by betting on the cops.

At the time of publication, the author owned shares in GPN.

This article is commentary by an independent contributor, separate from TheStreet's regular news coverage.

More from Opinion

Sears CEO Eddie Lampert Looks Like He Is Sucking Company Dry

Sears CEO Eddie Lampert Looks Like He Is Sucking Company Dry

Nasdaq Exec: Exchange Is 'All-In' on Using Blockchain Technology

Nasdaq Exec: Exchange Is 'All-In' on Using Blockchain Technology

It's Dumb to Think Legalizing Weed Is Still a Political Issue

It's Dumb to Think Legalizing Weed Is Still a Political Issue

AAP Exclusive: Cramer Says The President is No Longer on the Side of the Bulls

AAP Exclusive: Cramer Says The President is No Longer on the Side of the Bulls

Why It Makes Perfect Sense for Netflix and Amazon to Buy Up Movie Theaters

Why It Makes Perfect Sense for Netflix and Amazon to Buy Up Movie Theaters