What's the 'holiday freeze' and why does it put consumer data at risk? - Technical.ly Baltimore

Growth

Dec. 4, 2014 12:27 pm

What’s the ‘holiday freeze’ and why does it put consumer data at risk?

With the holiday shopping season set to ramp up, retailers nationwide avoid rocking the boat with their point-of-sale software. This could pose problems, experts say.
Up to 70 million Target customers had their data put at risk in a security breach during the height of the 2013 holiday rush.

Up to 70 million Target customers had their data put at risk in a security breach during the height of the 2013 holiday rush.

(Photo by Flickr user Nate Grigg, used under a Creative Commons license)

As Baltimore sees its first snow of the season, security experts are ready to watch retailers go into what they call the “holiday freeze.”

A number of Target shoppers got an unwanted holiday surprise a year ago, when the retailer was the victim of a massive nationwide credit and debit card information theft at the height of the Black Friday rush.

Its timing was no coincidence, Ron Gula said.

Gula, CEO of Columbia’s Tenable Network Securitysays more breaches like it are likely, in part because of that “holiday freeze,” which refers to companies’ reluctance to rock the boat with patches and holiday season downtime for their point-of-sale systems.

“There could always be a breach. Certainly the number of people who have been compromised has been increasing, not decreasing,” Gula said. “Anybody who hasn’t had their turn yet is probably more likely than someone who has been attacked.”

In 2013, more than 30 million transactions were made on Black Friday and Cyber Monday, according to Tenable data, and nearly three-quarters of purchases were made using a card. On the other side of the counter, just over 10 percent of stores nationwide take adequate security measures and are spending less on network security now, too, with $4.1 million in protections this year, down from $4.3 million last year, according to Tenable data. And breaches, like that Target data theft, were up more than 26 percent last year.

Making matters worse is that retailers are reluctant to update — not because the IT department has collectively gone home for the month, Gula said, but because companies judge the cure could pose more short-term risk than the disease.

“The reality is you don’t want to be making changes during the busiest time of the year,” Gula said. “Every organization has its own story when it comes to the quality of the patches that they put out. I don’t care who you are. You could be the government, you could be a commercial store. You don’t have the ability to test the patches to the level the Microsofts, the Oracles do.”

Advertisement

However, Avi Rubin, a computer science professor at Johns Hopkins University and technical director of the university’s Information Security Institute, doesn’t believe attacks (and therefore, vulnerabilities) are necessarily limited to such times.

“They seem to crop up at arbitrary times,” Rubin said.

However, Rubin did put some stock in the idea that retailers leave themselves unprotected during the holiday rush.

“When you change your systems … things sometimes break and you want to make sure that things are up and running when you’re going to do a large percentage of your business,” Rubin said.

Earlier this month, Tenable released the newest version of its Nessus software, which scans individual and enterprise networks for security and compliance. The software automates scanning and detects malware.

You must appreciate accurate, relevant and productive community journalism.  Support this sort of work from professional reporters with seasoned editors.  Become a Technical.ly member for $12 per month -30-
CONTRIBUTE TO THE
JOURNALISM FUND

Already a contributor? Sign in here
Connect with companies from the Technical.ly community
New call-to-action

Advertisement

Sign-up for daily news updates from Technical.ly Baltimore

Do NOT follow this link or you will be banned from the site!