Copyright ©2014 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

MELISSA BLOCK, HOST:

This is ALL THINGS CONSIDERED from NPR News. I'm Melissa Block.

AUDIE CORNISH, HOST:

And I'm Audie Cornish.

When a massive security breach was confirmed by Target, there was no doubt it would impact the company's bottom-line. Today, we got an initial idea of how much it could hurt. Target announced its profits during the crucial holiday quarter fell 46 percent from the previous year. The breach put the personal data of tens of millions of customers into the hands of criminals.

BLOCK: Target says it's already spent $61 million dealing with the fallout from the theft, though insurance will cover most of that. Cyber attacks on Target and other retailers have made Americans much more aware of the risks to their personal data, online and at stores.

CORNISH: We're going to learn more about the underlying causes of cyber crime by going now to San Francisco, where thousands of experts have gathered for an Internet security conference.

AARTI SHAHANI, BYLINE: Aarti Shahani, of member station KQED, went to the conference and kept hearing the word outsourcing.

I say outsourcing and maybe you think: threat to American jobs. But here at the Moscone Convention Center, outsourcing means a different kind of threat: To our data.

ANDY ELLIS: You get what you pay for is something that people do have to acknowledge.

SHAHANI: Andy Ellis is chief security officer with Akamai Technologies.

ELLIS: And certainly if you move it to somewhere that's a lower cost, there's a reason it's lower cost. Sometimes it is cheaper there, so people don't need as much. But sometimes it is because you aren't getting as skilled personnel.

SHAHANI: Just like the big manufacturers outsourced, online companies do, too, for their websites, mobile apps, accounting. But the downside isn't just a poorly made T-shirt. It's data theft with untold consequences.

Now just about every person in this room is selling a security service. While they disagree on the merits of outsourcing, they agree it's a big security problem. Dwayne Melancon, with Tripwire, says the decision to cut costs can backfire on the consumer.

DEWAYNE MELANCON: You provide information to a company. And all of a sudden it gets compromised because of a weak link to a third-party contractor, it's your problem. It's not the company's problems.

(SOUNDBITE OF A NEWS CLIP)

UNIDENTIFIED MAN: It is our top story this morning, the theft of payment card information at Target...

SHAHANI: That recent high-profile breach happened because hackers stole information from a third-party vendor, an air-conditioning company in the U.S.

Security analyst Chris Coleman, with Lookingglass, says we need to pay more attention to this trend. He just did an audit of about 20 subcontractors that big banks hire and he got a breathtaking finding.

CHRIS COLEMAN: A hundred percent of third-parties showed signs of compromise or indicators of threat.

SHAHANI: A hundred percent?

COLEMAN: A hundred percent.

SHAHANI: Is that surprising?

COLEMAN: No. Our global cyber landscape is a very scary place.

SHAHANI: While weak links are everywhere, Coleman saw one that stood out with the foreign servicers. Lots of them used computers that are infected with an old worm. It's curable and not harmful in itself, but it's also a signal for criminals looking to find entry points.

COLEMAN: It was more predominantly coming out of networks that were in the foreign markets. I know the U.K. for sure, India and Southeast Asia.

JOHN STEWART: When I go to China, they want to know: Well, how are you protecting, like, our information from the U.S. people that are high risk? How do you wall that garden?

SHAHANI: John Stewart is chief security officer at CISCO.

STEWART: So it really depends on where you're sitting what you think the risk is.

SHAHANI: There's a lot of distrust about data security, especially after the NSA revelations. But Stewart notes the U.S. is better at building trust in one key respect: We have laws that make companies tell police when a breach has happened. He remembers being on a panel in another country and some guy said all the data theft is coming from the USA. Stewart pushed back.

STEWART: Well does this country have mandatory disclosure law? And there was no. And I said, well, then how do you know we're the only ones creating the problems? We're the only ones that are transparently telling you that we created the problems.

SHAHANI: Stewart says if everyone shared details on data breaches, the way they shared the data itself, cyberspace would be a lot less scary.

For NPR News, I'm Aarti Shahani in San Francisco.

Copyright © 2014 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.