Heather Somerville

San Jose Mercury News

San Jose, Calif. — Hold onto your credit cards. Cybercriminals are eager to hack them, and this holiday shopping season, there is a good chance they will be successful.

Despite the massive and high-profile data breach at Target last year, in which thieves stole credit card or personal information for up to 110 million people just as the shopping season kicked into high gear, many large retailers remain woefully unprepared to defend against a cyberattack, according to security experts.

Meanwhile, cyberthieves are smarter and more efficient at breaking into retailers’ networks and stealing consumer data, and some credit card companies are ratcheting down fraud protection to speed transactions during the shopping rush.

That sets up the holidays to potentially be a whammy of a payday for criminal groups and puts consumers at greater risk as they enter the biggest shopping season of the year.

“It’s the perfect time to get boatloads of credit cards in one shot,” said John Kipp, chief operating officer for security firm Sera-Brynn. “The holiday season is a wonderful time for criminals.”

And consumers can expect to pay as retailers face mounting fines from financial regulators for data breaches, and must invest in pricey new security systems.

According to a study by Cambridge, Massachusetts-based security firm BitSight Technologies, which analyzed the risk of a breach at 300 large retail companies, 58 percent of retailers are less secure than they were a year ago because more hackers have been getting inside their firewalls and stealing data, often quicker and more stealthily than they were before.

Retailers which just a few years ago weren’t worried about cybersecurity are struggling to plug the holes in their networks and their vendors’ networks. Many retailers don’t have cybersecurity expertise in their boardrooms, can’t find the cash to invest in the protection they need and are too slow to react in the cat-and-mouse game with cybercriminals, experts say.

“Compared to two years ago, I would say that not much has changed except the urgency by the criminals,” said Martin Ferenczi, president of North American operations for Oberthur Technologies, a digital security company.

The gaps in security suggest data breaches are as inevitable during these next few weeks as the ugly Christmas sweater party and jockeying for parking at the mall.

Experts say holiday season is prime time for criminals, who see crowded malls and customers armed with credit cards and shopping lists as easy targets. And this holiday season is expected to be a lucrative one, with the National Retail Federation predicting sales in November and December will grow 4.1 percent over last year to $617 billion, and shoppers will spend about 5 percent more on gifts than last year.

“Bad guys know that this is a big shopping season,” said Bob Ackerman, founder and managing director of venture capital firm Allegis Capital and an expert in cybersecurity issues. “Bad guys are on the prowl, they are active, and they know this is a time of year where there is a lot more fish that their net can capture.”

Compounding the risk is that credit card companies usually relax fraud rules between Black Friday and Christmas because they have to process a tremendous volume of purchases in a short period of time, security experts say, and fraud detection often slows down transactions.

Since the start of the year, more than 500 million credit card records have been stolen, according to cybersecurity firm TrapX Security. This year, there have been 20 publicly reported data breaches at major retailers.

“It’s definitely going up,” Kipp said. “We’ve already eclipsed last year in terms of data breaches, and the holidays haven’t arrived yet. I think it’s going to get ugly.”

Retailers have ramped up security plans to protect themselves and their customers after the Target breach, a sweeping hack in November 2013 that convinced most retailers that cyberattacks are a real and unavoidable threat.

Still, most corporations have moved too slowly to keep up with cybercrime syndicates, which need only a computer and a savvy hacker to wreak havoc, experts say.

“If the question is how fast can corporate America adopt these new technologies, the answer is it’s going to be too late for this season,” said Carl Wright, general manager and executive vice president of TrapX Security.

Retail industry leaders, however, say credit card companies and banks haven’t taken enough responsibility for protecting consumer data, at times stymieing retailers’ progress. Recently, about 100 retailers joined together to share information about bugs and potential threats, keeping each others’ networks safe, said Mallory Duncan, senior vice president and general counsel for the NRF.

“It’s like having a neighborhood watch so they know the threats in the vicinity,” he said.

There are signs of progress. The study by BitSight Technologies found that three-quarters of retailers who experienced a data breach did improve their security a bright spot that shows the breach “woke up boards and woke up executive management teams,” and Stephen Boyer, BitSight’s co-founder.

These retailers have embraced cybersecurity, not just as a job for the IT department, he said, but as a new way of doing business that involves better technology, buying cyberinsurance, hiring security experts and sometimes replacing top-level executives. Target ousted its CEO following the breach and replaced him with Brian Cornell, known for his data security chops.

These efforts help minimize the risk, but they also cost the retailer, who may pass the buck to the consumer.

“It gets passed on in higher prices,” said Venky Ganesan, managing director and venture capitalist at Menlo Ventures. “It’s the silent pass. They are going to try and pass the entire thing on to consumers.”

Tips to protect yourself from retail hacks

■Pay in cash

■Use prepaid cards

■Avoid debit cards

■Don’t make purchases on public Wi-Fi

■Secure all your accounts with strong passwords, and change passwords frequently

■Store passwords using secure programs such as 1Password or LastPass

■Use encrypted websites, which begin with “https”

■Carefully review credit card bills

■Ask your financial institutions to set up fraud alerts on your accounts

■Ask your bank for a credit card with EMV chip technology (Wal-Mart and Sam’s Club have EMV chip card readers)

■Update your computer operating system

San Jose Mercury News