Retailers face criticism for failure to protect customer data
Despite lessons learned from past data breaches from Target, Home Depot and others, an epidemic of breaches is hitting the retail industry.
- On March 29, Under Armour announced that 150 million user records of its MyFitnessPal app had been breached. Usernames, e-mail addresses and hashed passwords were exposed.
- On April 1, Hudson’s Bay said data from card payments in some of its Saks and Lord & Taylor stores in North America had been compromised. Reportedly, data was stolen from five million cardholders.
- On April 3, Panera said fewer than 10,000 customers had been affected by a leak. Names, e-mail and physical addresses, birthdays, the last four digits of user credit card numbers and loyalty card numbers were compromised.
- On April 5, a breach tied to Sears’ chat network provider provided unauthorized access to less than 100,000 of its customers’ credit card information. On April 6, Best Buy said a “small fraction” of its online customer population may have been affected by the same leak.
The 2018 Trustwave Global Security Report found breaches affecting checkout systems in stores comprised 20 percent of incidents investigated by the firm in 2017, down from 31 percent the year before. The improvement was attributed to the arrival of chip-enabled credit cards and other defensive steps.
E-commerce incidents, however, expanded to 30 percent of cases, up from 26 percent in 2016. Increased connections with third-party firms, including vendors and credit card processors, was seen adding vulnerabilities to e-commerce.
Many reports reprimanded retailers for not protecting customer data. Chris Hoofnagle, a professor of information and law at the University of California at Berkeley, told The Washington Post, “Security is difficult and expensive, and no one wants to do it.”
Writing for Bloomberg, Sarah Halzack believes retailers aren’t incentivized enough to clamp down on breaches because share prices are rarely affected. The social media backlash has been minimal because consumers have grown used to the hacks. Wrote Ms. Halzack, “Consumers should not accept these conditions as ordinary. Retailers and the payments industry will surely do better if they sense their customers will flee — or at least be indignant — if they do not.”
- Panera’s data breach puts attention on the risks of loyalty programs – The Washington Post
- New Trustwave Report Depicts Evolving Cybersecurity Threat Landscape – Trustwave
- Protect yourself against cybercriminals hitting online retailers – San Francisco Gate
- How to Keep Your Information Safe After the Saks, Lord & Taylor, Under Armour Data – Footwear News
- Sears Joins Growing List of Retailers Managing a Data Breach – Sourcing Journal
Discussion Questions
DISCUSSION QUESTIONS: Do you see retailers increasingly facing greater vulnerability to online breaches versus in-store? What’s the next step the industry may need to take to address data breaches?
Poll
BrainTrust
Ryan Mathews
Founder, CEO, Black Monk Consulting
Julie Bernard
Chief Marketing Officer, Verve
The Target breach was one of the first and biggest, but every week seems to bring a new headline about data security. And retailers’ problems have metastasized through alliances to social networks like Facebook with big issues of their own. But consumers’ migration to mobile commerce keeps gaining speed anyway, despite these breaches of trust.
There is no doubt that hackers are doing tremendous damage and things will only get worse unless all businesses start to address the predicament. The problem is so many businesses and retailers are too busy chasing after the next technology rather than taking a good hard look at where they presently are and how vulnerable their systems are to hackers.
It’s quite unfortunate, and it is only when their business gets attacked and customers sue them and leave that they begin to take the matter seriously. That is stupid and quite sad. The problem is they don’t see the bang for their buck investing in security because they already have those customers and their primary interest is going after new ones. But without reliable security, it is only a matter of time before their systems get hacked and there is great damage. Retailers must take this problem seriously and protect their customers and ultimately their business.
Some cybersecurity experts will tell you there are only two kinds of data banks: those that have been hacked and those that haven’t figured out they have been hacked. The fact is encryption systems haven’t proven very effective against dedicated attempts to crack them. We’ve moved from the proto-hackers who cracked into databases to prove they could to organized criminals who realize how much that data is really worth on the open market. It was tough to stop the former and without blockchain-level encryption it may be impossible to stop the latter. All industries, not just retail, have to poll their resources to address the issues of data privacy and cybersecurity. But the problem may be that any system invented by people will be able to be breached by people. Will AI or some other technology solve the problem? My vote, the jury is still out on that one and will be for decades.
Retailers have had to rapidly re-engineer their technology infrastructure over the past five years to meet the expectations of today’s digitally-empowered shoppers. Given this rapid transformation coupled with the rise and acceptance of social media in the shopping experience, e-commerce and click and collect initiatives, it’s not surprising that we’re seeing a rash of hacks and security breaches. I suspect that with the pressure to keep pace with the technology superpowers, retailers are not as robust and secure as their technology counterparts and competitors.
Retailers ignore or pay lip service to customer data security at their own peril. With the Facebook data scandal in the news, the heat of the spotlight will focus on all data collection. Retailers, as much as they would prefer otherwise, need to protect consumer data, and that may mean shouldering the expense of moving from chip and signature credit cards to chip and pin.
I do agree that retailers are facing greater vulnerability to both online and in-store breaches. The industry needs to be completely dedicated to preventing these attacks in every aspect of their systems. POS systems, mobile computers, wireless providers and all solutions using them need to identify for the retailer what they offer to prevent an intrusion. Secondly, retailers need a dedicated team that works only on the prevention of an attack — much like database management was a specialty, we now need a new team of specialists. Retailers and solution providers need to work together to prevent attacks!
All channels are vulnerable. Online, in-store. However, there are some fairly inexpensive steps that e-commerce retailers can take quickly to minimize breaches such as separating the website database from the customer database on different servers connected through secure firewalls. Encryption on checkout pages is fairly common and inexpensive.
I agree that the store-level security is costly, but the correct focus and directives put on the problem can solve it quickly and efficiently.
Retailers need to feel the pain of a consumer backlash before taking action.
My answer to being involved in the MyFitnessPal app breach that I just got notified about this morning: delete the app for good. Period. A breach in trust of this nature signals the END of the relationship. Retailers that won’t invest in data security don’t deserve my business.
Were you a paying customer? I am a non-paying customer and decided I didn’t care if a bunch of Russians know what I eat every day.
There seem to be two questions here. The poll question and the discussion question. Starting with the discussion question, as a general rule, countries that implement EMV have seen a rise in online fraud, as it theoretically is the most vulnerable point.
But to the poll question: Have retailers done enough? Retailers have done enough to satisfy the mandate, but too many have not done something important that is NOT part of the mandate — implement point-to-point encryption. I’m not sure we would have needed EMV if we had P2P encryption universally, but the banking industry will not take ownership of their mistake in not including the requirement for it, and retailers had already spent a lot of IT money on EMV hardware and software, in an age when they needed IT money for omnichannel initiatives (sorry … I have no other short form description of it).
I wrote a piece about this recently and a rep from the payments organization was adamant that this is all on the retailers. I say “hogwash” even though the CIOs with boards that could hear implemented it anyway.
It’s a mess, and no industry can afford to cast stones (can you spell Equifax?).
Agree with you, Paula, 100%. Retailers obviously have a key role to play here, but the banking and payments industry has to play their part and take their leadership role as well. They can’t just sit idly by and blame retailers for everything.
All companies, retailers, CPGs, everyone needs to take this issue seriously, and technologically. Talk is cheap, and talk solves nothing if actions do not follow. There are tools available today that can really minimize risks for data breaches and they need not be massive capital investments. There is no question that those organizations that don’t take definitive steps to mitigate these risks are vulnerable, however there are plenty of great examples of retailers and CPGs that have implemented the right capabilities to fend off the majority of these attacks.
There are two issues here. Retail is an industry that underinvests in IT, and therefore in data security, and retailers’ name recognition makes breaches into juicy news stories. We’re going to keep seeing these stories.
As the lines blur between online and in-store shopping, it’s absolutely imperative for retailers to double down on their data privacy standards. Regardless of whatever channel consumers ultimately shop, their data is flowing through the retailers’ systems. Personal data, particularly credit card history, has to be the most protected information between the retailer and their loyal consumers.
This is all a critical part of the trusted consumer and retailer relationship. Retailers are now faced with the need to be open, fully transparent about their data privacy policies, and to seek ways to eliminate future data breaches. With the onset of chip technologies, credit card encryption and mobile payment devices that do not share your credit card numbers, one would hope that these mechanisms, combined with a locked down and secure retailer ERP transaction system, will mitigate these issues in the future.
This morning I read a fascinating piece from Oct 2015 about the collection and storing of data. Here we are 2.5 years later and the problems have only magnified. Whether the breaches are happening online or in-store, the current culture of collecting anything and everything about customers in the hopes that it can be analyzed for insights later should be looked at. Retailers should do an exercise to determine what data is absolutely necessary to collect, what can be collected and purged in a short window and what data is absolutely necessary to keep. Oh, and then there’s the promise of blockchain. This has real interesting potential and as the technology breaks from the association with cryptocurrency — retailers should be looking at the cybersecurity applications.
Data breaches are fueled by an increasing number and types of transactions irrelevant of where they take place. These same breaches are also facilitated by economic incentives in the form of an illicit and seemingly liquid market for stolen identities.
There is growing awareness of the damage these breaches cause in people’s lives and the danger that these will become normalized as the “cost of doing business” for companies and consumers alike.
Data breaches cannot be regulated out of existence nor can they be completely eliminated; incentives are too high for malicious hackers to cease and desist. What retailers and any consumer-facing company can do is conduct thorough audits (and necessary structural changes) to what, where and how consumer data is collected, processed and stored. On the other side, retailers need to expect a more forceful response from their customers as the very personal damage of the various data breaches begins to be felt.
I wonder if consumers are not becoming deaf to data breaches. They seem to have become a way of life as the connected, convenienced public endure these losses, watch the finger-pointing of blame and hear of the remedial efforts by brands. Security is a war in which every battle matters.
As more companies ramp up their online shopping and the competition between retailers increases, consumers have choices. Companies that do not actively work to protect their data, the use of their data, and consumers who have been hacked face the likelihood that consumers will stop shopping with them. If products are available in many places at similar prices, consumers do not have to shop with retailers who are not making an effort to protect their data.
All businesses have increasing vulnerability as we all move online both directly and through back office services and via service providers. Many of the breaches should be considered a warning that information can be obtained maliciously. It is for all to take heed of the warning signs, although the equivalent of a “bank heist” due to data access has yet to manifest itself as far as I am aware. Consumers will increasingly look for more assurances that they are being protected as they become exposed to the risks more often.
Retailers need to plan for this inevitability and the rising expectations in this area by consumers as they will learn by experience of the need. A very simple action could be to pass the risk on to your suppliers of services to make sure they are meeting the highest security standards, for example a common standard to be expected is ISO 27001.
Our data is not secure. Whoever has it is not protecting it sufficiently, and certainly not doing all that they can do to afford our data the protection that it deserves. The lack of true repercussions and the cavalier approach to managing data is the reason why so many breaches have happened. We need to demand more from the holders of our information, starting with a gold standard for protection and data security that everyone must have.
Data in security breaches is ripe for the taking as known vulnerabilities continue to be exploited. Just as the industry moved to chip and signature/chip and pin, the industry should be making investments to protect their consumers’ data.
Now is as good of a time as ever to incorporate security policies and processes that limit these exposures. It’s not a matter of if consumers will care or not; these breaches will only continue to get worse until these retailers put a stake in the ground and do what’s right for their consumers.
The crims have overtaken retailers in terms of sophisticated tech. It’s way too easy for them to snaffle the data of unsuspecting shoppers. Banks have picked up their game (as they are often left footing the bill) in terms of data security and its time the retail industry also rises to the challenge. As long as there are hackers, data will never be 100% safe, but we can certainly improve.
Every day, every hour, every minute and every second, hackers are attempting to penetrate the security efforts of companies who are holding customer data. The industry needs to assure their customers of the level of security they offer, the insurance they offer as part of that security should there be a breach, and what they are doing to keep up with the changing methods and technologies that make them vulnerable. Retailers must convince customers their data is safe from cyber-criminals, and their data won’t be abused (with excessive promotion) from the company. Once the customer doesn’t trust the company, there may not be a second chance.
Data is the modern world’s currency, and hackers will always search for ways to acquire it. Every organization that collects customer data and retains it needs to think about how they are storing it and how they are protecting it. Then they can think about how to use it — in that order, or they’ll be the next brand we read about a breach in the news!
Complying with mandates like EMV don’t really do anything for retailers security. EMV itself did nothing to prevent breaches of this variety. EMV id meant to address other fraud issues, not data breaches. That said, the wisest, and most willing to increase IT dollars, retailers took advantage of the EMV mandate to upgrade their networks and payment platforms to deploy point to point encryption and tokenization — technologies that go much further than EMV to protect customer data. Back in 2015, I wrote an article about this that is just as relevant today for retailers. Mobile payment systems tend to be more secure as well and as consumers more readily adopt them, we should see a shift in tactics by hackers in their targeting for user data.
Which brings us to the last point about the increase in e-commerce incidents. When Europe moved to EMV they also experienced a surge in online breaches. Fact is, hackers will move to where they think the easier targets are. If retailers beef up their security, hackers will find them less appealing and move to other targets!
In the question of breaches, it’s so easy for Monday morning quarterbacks to claim something more should have been done. But retailers (and anyone else working in cyber security) seem to be working in a situation dominated by two truths:
That’s no excuse to relax retail vigilance on the issue. Every time I see a story like this I’m torn between anger that the bad guys always find a way, concern that retailers might not have done enough, and sympathy for the retailer because they are in a no-win situation.
I take a radical (and admittedly futuristic) position on this issue. Each customer should own and control their own personal data profile, in a personal, encrypted vault. Access to this information should be transactional in nature — if you want a glimpse of mine, offer something of value. Saving meta-data about those interactions is OK, but making a copy of any individual profile is forbidden.
True data security is by now proven to be impossible. So why keep denying it?
Retailers should simply not be in the business of gathering, accruing, and protecting the data of millions of individuals. Their data troves are an irresistible temptation to criminals — like so many Fort Knoxes but housing a currency that is far easier to steal, transport and spend.
Sure, customer databases are hard-won assets, so it’s not easy to walk them back. But the cost of maintaining and securing them (including escalating technology and damage to brand value and customer relationships due to breeches) may soon exceed the benefits. Worse yet, each consumer-facing company assembles its own version, which means that hundreds of copies of our personal data are out there waiting for thieves.
The personal data lock box would have the effect of distributing information, requiring it far more effort for bad actors to gather them up. Discontinuing retail customer databases would also eliminate a major market for hackers.
The tech to enable personal data lockboxes is on the horizon — possibly making use of the Blockchain.
Like I said, this is a radical perspective. Where are the visionaries who are ready to consider, debate, and create it?
Since we know consumers absolutely do expect magical experiences — almost transcendental experiences — as reported in our own research about the desire for anticipatory inspiration, we can appreciate the pressures that businesses are facing.
In this, there is an opportunity to view data-security investments as actually supporting the positive consumer experience. This is to say, companies should make the necessary (and, yes, hefty) investments to further secure and protect consumer data. But in doing so, they should communicate their actions to their customers so that consumers view their secured data as an element of their positive experience with that brand.
A common example would be when your bank prompts you with a fraud-prevention message, or helpfully notes unusual spending in a location you don’t normally swipe or insert your chip. These experiences have become part of what “positive” means in the financial services sector. Retail ought to take very careful note! Data security as well as privacy should be seen as components of innovation investments as well as a loyalty-earning part of the brand identity that consumers will celebrate.
Data breaches aren’t going away and retailers need to make customer payment and data security a priority. While payment data breaches have garnered most of the headlines, and consumers feel the pain when they need to cancel breached credit cards, fraudsters continue to move to the next most vulnerable place to get sensitive data that they can sell or try to use for identity theft.
Retailers need to focus on all data, beyond just payment data. They need to secure systems and networks to lock down their private label credit cards like they do for normal bank cards and treat PII and corporate financial data like they have been treating PCI data for the last several years. It is an never ending battle.
Shoppers have become desensitized by this problem and it is unfortunate that no retailer is too small or big to be impacted by it. I agree with Sarah Halzack that retailers need to see financial consequences in order to get security correct and complete the process quickly. As retailers are busy improving logistics and trying to get omnichannel right, many are neglecting the safety of their customers. Over time, loyalty might decrease for businesses that don’t take security seriously. While retailers are all busy, they need to put shopper safety first in order to continue earning their business.
Retailers will continue to be the targets of breaches. What is interesting is that despite the breaches, I can’t think of a retailer who suffered long-term damage directly attributed to the data breach. Executives were let go, but the brand continues as the population en mass still shops from their favorite retailer.
The responsibility for cleanup after notification falls to the financial institutions processing the payments and the customers’s credit card company.
So glad we’re talking about data transparency. This, IMHO, is the number one issue facing retailers.
But 10 years ago, there wasn’t a standard for transparency. Nobody really had the vocabulary to understand what was going on.
And yet, recent advertising scandals are forcing consumers to realize and reckon with one major issue: How much data is any given internet company collecting on you?
What we tell clients is, look, if your company uses digital marketing channels like paid advertising to drive growth revenue, then you must reckon with this reality too. Because there is the potential for real change here.
Retailers simply have to be vigilant. Especially if they work with programmatic marketing vendors or agencies. Make sure you have access to and own your data. That’s step one before any technology improvements.