Retailers: Beware the Equifax breach
Through a special arrangement, presented here for discussion is a summary of a current article from the Retail TouchPoints website.
On Sept. 7, Equifax revealed that it had suffered a security breach that could impact as many as 143 million consumers in the U.S., the UK and Canada. Retailers also face considerable risk.
False account creation and account takeovers are the biggest issues retailers will have to tackle in the wake of the breach, which occurred from mid-May through July.
Credit card fraud attempts increased 15 percent year-over-year during August, a period that does not typically see such jumps in activity, according to data from Forter, an e-commerce fraud prevention solution provider.
“The first thing to know is that it’s still not very clear what specific data was actually stolen,” Michael Reitblat, CEO of Forter, told Retail TouchPoints. “We’re still trying to understand whether it’s all the information you could possibly think of in terms of data from a credit bureau — which is extremely bad — or if it’s just partial data. It’s clear that names, Social Security numbers and addresses were all stolen.”
If security question data was stolen, cybercriminals may be able to reset passwords and gain access to store cards because consumers tend to use the same answers to security questions everywhere. New accounts can also be opened with the stolen information. Said Mr. Reitblat, “They can then use someone else’s stolen credit card with that account, or just leverage promotions and identity-based free trials that don’t require a credit card.”
In the short term, retailers should review changes in buyer behavior that occurred during the weeks following the breach to identify any uptick in fake account activity.
Longer-term, retailers should be sure to use dynamic data, rather than static data (such as an unchanging user name or password), for consumer authentication.
Finally, retailers need to maintain consumer trust and confidence in the wake of the breach, even though this one didn’t involve them directly. This latest incident is a reminder that “databases will be breached and consumer information will be out there,” said Mr. Reitblat, so retailers need to operate with that unsettling fact in mind.
Discussion Questions
DISCUSSION QUESTIONS: In what ways do you see the Equifax breach affecting retail businesses? How can retailers guard against cyber theft resulting from the breach? Are there any lessons from breaches such as this that don’t hit retailers directly?
Poll
BrainTrust
Mark Ryski
Founder, CEO & Author, HeadCount Corporation
Roy White
Editor-at-large, RetailWire
The Equifax breach was yet another reminder that data security needs to be on the senior leadership’s agenda. As we learned in the aftermath of the Target and T.J. Maxx breaches, even the most thoughtful retailers can be compromised. Retailers need to realize that there is no way to completely prevent a breach from occurring — governments and some of the largest, most successful businesses can’t prevent breaches. However, retailers need to remain vigilant and proactive in their approach to security — it needs to remain a top priority of every CEO along with a formal action plan to manage a breach should it occur in order to minimize the damage and restore consumer confidence.
The full effect of a breach of this magnitude won’t be know for quite some time, but clearly retailers must be mindful that bad people have access to your good customers’ data and could use it at any moment at your store or website.
To that end, no matter where the culpability may lie, good retailers will proactively have safeguards in place to mitigate fraud. I am not a security expert, so those measures are beyond my pay grade, but we all know the damage that was done when Target’s data was breached a few years back and they were arguably slow to respond.
There are also steps consumers can take. One is to make sure you turn on the alerts from your credit card bank when your accounts show activity.
As this situation unfolds, the learning from this breach will hopefully spur some innovative thinking on behalf of retailers to protect their customers’ interests.
The brand damage done by breaches is immense. Sadly, even the most robust plans and security cannot completely remove the risk. That makes it vital for retailers to have mitigation plans – part of which should involve being honest and open with customers.
As one of the 143 million people whose data has been stolen, I would pass on that I would hope that no retailer reacts as Equifax has done: five-week delay in announcing the breach; three executives selling off stock with the claim that they didn’t know of the breach even though one was the CFO; no proactive announcement; not much information available; continued use of vulnerable programming; few public announcements and a restitution which requires sensitive data.
Retailers engage with customers in a very close way — unlike a financial security service like Equifax — and if they were to follow the Equifax reaction model they would lose most of them. The scale of this breach and the fact that if follows a string of breaches over the past several years tells us that this situation is likely to happen to a great many retailers. Careful preparation of handling a breach — in particular how customers are treated — is now an essential part of the operational planning for all retailers.
The number one cause of data breaches is unencrypted data. It is shocking to see over and over customer data in plain text in databases by a major corporation or retailer. Many firms choose not to encrypt data to provide faster data retrieval but this is an old argument that does not hold up with faster computers in 2017.
Equifax held this data unencrypted on a database that is connected to their website — the same way many e-commerce operations are set up.
It is important to work only with data providers who can provide encryption as well as tokenization. More importantly, there are ways to perform a text search against an encrypted dataset. Do not allow your data to be stored in plain-text to justify plain-text search features, demand an encrypted search solution.
Keep in mind there is a fine the government imposes per-user for exposed data that can run in the millions of dollars for data breaches, not including EU fines for European customers.
I am seeing the best of the best security technologies avoid exactly these kind of data breeches. This is a technology issue, plain but not so simple. All organizations need to take security seriously. Technologies exist today that can avoid these problems and stay steps ahead of the hackers.
The Equifax breach won’t directly affect retailers, but it will have an impact on consumers’ ongoing concerns for payment and data security. This is another wake-up call to retailers that security is a serious matter.
Data and payment security has been a hot topic for the past few years and most retailer have made great strides in bolstering their security, but this is an ongoing challenge. While there has been a significant reduction with in-store fraud, online fraud, including mobile applications, has risen dramatically. Fraudsters are also looking to exploit e-commerce transactions to capture credit card numbers and other personal data. In general, online transactions have much more information than a brick-and-mortar transaction. They usually include customers’ names, home address, email address, and phone number. This additional rich PII data makes these transactions much more valuable to fraudsters.
Given the uniqueness of each retailer’s environment, there is no single strategy that can entirely eliminate the risk of a data breach. Recent industry best practices dictate that the most effective strategy is a multi-layered security approach which includes components of the following: integrated EMV-compliant payment terminals, strong e-commerce controls, network segmentation, secure communication protocols, E2EE, tokenization and a thoroughly documented and comprehensive internal set of security policies and practices.
Still quite a few “if’s” — if this was stolen then this, if that was stolen then…” — to answer before anyone can say what, if any, this impact will have.
As far as lessons to be learned, the usual ones: improve security, no one is immune, etc. To be honest, this being the latest in a long line of highly publicized breaches that are called potentially catastrophic, but then forgotten. I’m fearful complacency is becoming the reaction. I suppose an argument can be made that companies — e.g. Target — suffered reputation damage, but with each new problem, the impact diminishes.
It’s often too easy to speculate about breaches as large as the Equifax breach, but there are some interesting related topics to consider. This year’s Verizon report on PCI security compliance is noteworthy for how poor it makes many industries seem with respect to security compliance. While improving year over year, there is still a long way to go for most organizations, retailers included. Just achieving a certification state, like PCI, often makes businesses become complacent about security — and their processes lapse. The Equifax breach should sere as a strong reminder that you can never back away from security — it’s an ongoing process not just a one-time occurrence to obtain a certification.
It also brings to mind something many security leaders are fond of saying — there are only two kinds of brands. Those that have been breached, and those that don’t know they’ve been breached. No matter how great your security may be, the real test comes from your risk mitigation plan once a breach becomes public knowledge. Equifax demonstrates once again how not to treat a breach. Target had some missteps in this area, but Equifax is setting the new low standard.
The key thing retailers need to do is protect themselves and their customers, because the consequences can be devastating. Just think of loss of customer trust, negative impact on revenue, and let’s not forget the steep fines that can be imposed, especially in Europe as the GDPR deadline looms.
It’s true that no business can remove the risk of cyber attacks and breaches completely, but it’s also true that there are a number of things that retailers and their IT teams can do to make it harder for cyber criminals to steal information or disrupt operations, such as patching and keeping infrastructure current.
Of course the cyber threat challenge intensifies when dealing with a distributed branch network, but that only means retailers need to find better ways of keeping themselves protected, like using more intelligent infrastructure and increased use of automation.