Discussion Case: How Safe Is Your Personal Information? Technological advances have resulted in profound changes in society. One of the great- est transformations is the collection, storage, and use of personal information. Access to personal information originates from many different sources, often without the individual being fully aware of it. Businesses may endeavor to use this information to recruit strong Chat The Role of Technology 253 employee applicants, offer more attractive products or services to prospective consumers. package desirable investment options to potential investors, and so on. But, the risk that this information will fall into the wrong hands or be used for crim inal purposes is ever present. In August 2014, the Department of Homeland Security announced that breaches of company safeguards meant to protect personal information had occurred at more than 1,000 American businesses already that year. This situation was so dire that some security analysts said that it had become the exception if businesses infor mation systems had not been compromised Criminals had become astonishingly dept at breaking into company records. They had learned how to scan corporate information systems for remote access opportunities a vender with remote access to a company's system, imple, ce cuployees with the ability to work remotely-and then deploy computers 10 use their username and password until they found a working combination. They used these footholds to virtually crow through corporate networks until they gained access to in-store cash register systems. From there, they collected payment card data and sent it back to their serven, often beide the United States Millions of American consumers' payment card details were allegedly sold on the black market to crimi- nals all over the world. Some of the more significant break-ins we described below. At Home Depot, the nation's largest home improvement retailer, 56 million credit card accounts were compromised and 53 million e-mail addresses were exposed. Cybercrim- inals targeted the firm's 7.500 self-checkout lanes, since these terminals were clearly referenced in their computer systems as payment terminals Analysts believed that the intruders went undetected as they moved around Home Depot's systems during regular daytime business hours and designed their malware to collect data transmit it to an outside system, and then crase its tracks before the company's detection systems could discover the attack. At Target, a global retailer with revenues approaching $100 billion annually, an esti- mated 40 million shoppers' information was exposed More than 17 million new credit cards had to be reissued following the attack at an estimated cost of more than $200 million to the financial institutions involved Anthem, one of the nation's largest health insurers, had up to 80 million records accessed by cybercriminals: these included Social Security numbers, birthdays, physical and e-mail addresses, employment information and income data for customers and employ. ces, including the company's own chief executive Anthem officials became aware of the breach when one of their senior administrators noticed that someone was using his identity to request information from the company's database. "This is coe of the worst breaches I have ever seen." said Paul Stephens, director of Privacy Rights Clearinghouse. A cyberattack at Japan Airlines, one of the Japan's two largest airlines, exposed the personal information of more than 750,000 members of their frequent-flier program The stolen data included names, genders, birth dates, addresses, e-mail addresses, and places of work. The company noticed that their customer information systems were run ning slowly for a few days; it later estimated that 190,000 customers' data were stolen during this time. Twitter, the online social networking service, announced that data for 250,000 of its users were vulnerable after it detected unusual access patterns and discovered their systems had been compromised. Accessed were usernames. e-mail addresses, and encrypted passwords. Some believed that the company's systems were entered through a well.publicized vulnerability in Oracle's Java software, a system installed on more than 3 billion devices . Dis Qu As these examples show, various weaknesses in companies' software systems can leave customers' information vulnerable to theft (although most credit card companies have fraud protection programs that eliminate any liability for their customers when their cards are fraudulently used). Many companies were deeply worried about the growing risks of cyberattack, and major financial institutions wanted to minimize their potential liability from the fraudulent use of customer data. How could these companies better protect themselves and their customers? Some firms realized they needed to upgrade security measures within their computer systems to limit access by vendors at remote sites and to require employees working off-site to better secure their computers or other devices with more complex and more difficult-to-detect passwords, Another possible protection afforded to customers was to upgrade credit and debit cards, using technology first developed and adopted in Europe. So-called EMV cards (for Europay-MasterCard-Visa, the companies that first backed this new technology), easily re- ognized by their gold, square symbols, were designed to be inserted into a card payment ter- minal, where they stayed until the transaction was completed. EMVs were more secure, since they were embedded with a special chip that made it harder to access information than from the magnetic strip used on most cards in the United States. EMV cards also created a unique code for each transaction, making them more difficult to counterfeit than striped cards. Credit card networks embraced the new technology and established October 2015 as the deadline for most U.S. retailers to upgrade their payment systems to accommodate EMV cards. Merchant Warehouse, which processed credit and debit card transactions for 80,000 U.S. merchants, reported however that only 60 percent of its clients locations would be able to meet that deadline. A major reason for the delay was cost, estimated to be between $500 and $1,000 per payment terminal. Some big retailers, including Walmart. Kroger. and Target, were aggressive in their upgrades and expected to meet the deadline. "We saw the fact that it was being imple- mented in the U.K. and many other countries around the globe; we saw the fraud decrease once this solution was implemented." said a Walmart financial executive. By 2015, all of the 4,838 Walmart stores, including Sam's Clubs, had the chip-based hardware in place and nearly 1,000 had turned it on. Another concern was the cost of creating and distributing these new cards. By 2014 about 1 billion credit and debit cards were in use in the United States, but just 20 million chip cards had been issued, according to Smart Card Alliance. The new cards could cost up to $2 each, compared to pennies for the magnetic-strip cards. With some financial institu- tions issuing millions of cards, the investment was in the tens of millions of dollars. The increasing costs for security raised an important issue: Who should pay for protection against cyberattacks? Should it be the retailers or the banks ? Predictably, banks said retailers should pay to reissue the new and safer cards after a security breach in which the retailer had been at fault. Retailers countered by saying that banks should take steps to keep cards secure so they cannot be corrupted. This debate made its way to the U.S. Congress, where lawmak- Sources: "US. Finds Backor Heart Tolle 1. What are the benefits and risks to consumers of using paperless, electronic systems to pay for products and services both online and in stores? Do the benefits to consumers justify the risks, or not? 2. Do you think technology will be able to stay ahead of sophisticated cybercriminals, or not? Why do you think so? 3. Who do you think should be responsible for the costs of switching to the more secure EMV card? Retailers? Banks? Consumers? How would different stakeholders answer this question? 4 sonal information by turning to the more secure technology that existed and was used in Europe and Asia for many years? Should the government have stepped in and mandated this technology? 5. If you were managing a retail store or chain, what steps would you take to protect your customers from others accessing their confidential information? If customer informa- tion theft had occurred, what steps would you take to win back your customers' trust and loyalty