By Brian Kilcourse, Managing Partner
January 5, 2010
On December 29, Albert “Segvec” Gonzalez, the hacker who helped orchestrate the theft of millions of credit and debit card numbers from major retailers in some of the largest such thefts in U.S. history, pleaded guilty to the final accusations brought against him by the U.S. Federal Government. The accusations related to well- publicized data breaches at Hannaford Bros., Heartland Payment Systems, and 7-Eleven. Gonzalez was initially charged with being the ringleader of a cabal with Ukrainian connections, which was also apparently responsible for intrusions into BJ’s Wholesale Club, Boston Market, Barnes & Noble, Sports Authority, Forever 21, DSW and OfficeMax.
And so it would appear that the source of a lot of the anguish from retailers and their payment processing service providers will be locked up for a really long time. One can almost hear the chorus, “Ding Dong the Witch Is Dead,” resonating throughout the halls of retailers everywhere. But… not so fast! The risk is still there.
A casual glance through the website of the Privacy Rights Clearinghouse shows that data security breaches continue to occur at an alarming rate. And although many of the breaches that the site reports occur in health facilities, learning institutions, and government offices, retailers large and small also show up on the list. Here are examples of activity reported for 2009 alone:
· Geeks.com discovered that customer information, including Visa credit card information, may have been compromised when an unauthorized individual accessed this information by hacking the company’s eCommerce website;
· At HoneyBaked Ham, a computer server stocked with credit-card information was stolen from a store;
· Wyndham Hotels & Resorts discovered that a sophisticated hacker penetrated the computer systems of one of the hotels, potentially breaching guest and/or cardholder names and card numbers, expiration dates and other data from the card’s magnetic stripe;
· The CVS Pharmacy chain agreed to a $2.25 million settlement with the U.S. Dept. of Health and Human Services. CVS pharmacies were disposing of documents, such as labels from prescription bottles and old prescriptions, in unsecured dumpsters;
· Batteries.com network was breached from February to April 9, 2009. The hackers stole names, addresses and credit card information;
· Redondo Beach Arco Gas Station of Redondo Beach, CA, was the victim of an organized-crime ring that police believe is Russian or Armenian, who assigned a low-level soldier to infiltrate it and wait eight months while he worked himself into a position where he could implant a tiny, high-tech “skimmer” to steal customers’ credit-card information;
· Bike Nashbar’s computer servers were hacked and credit card information was compromised;
· T.A.D. Gear learned that their database was illegally accessed from an external source. The possibility of a security breach came to their attention when certain customers notified them that unauthorized charges had appeared on their credit cards; and,
· Hancock Fabrics discovered that it had suffered a data breach in one store when bank customers in California, Wisconsin and Missouri reported fraudulent ATM withdrawals that are tied to transactions conducted with the retail chain. The store in question had recently replaced its point-of-sale machines. At about the same time, as many as 70 Wisconsin victims reported suspicious ATM withdrawals from their accounts.
The Risk Is Big And Getting Bigger
A report sponsored by LexisNexis Risk Solutionspublished in November 2009 shows that U.S. merchants are incurring $191 billion in fraud losses each year. The study reports that retail merchants experience $100 billion in losses solely attributed to identity fraud. According to the study, identity fraud or fraudulent transactions made up the bulk of fraud costs, at 52 percent of total fraud losses. And, 40% of eCommerce retailers saw an upsurge in fraud activity in 2009.
Ironically, ChoicePoint, which was acquired by LexisNexis in 2008, was fined $275,000 by the U.S. Federal Trade Commission for a data breach that exposed personal information of 13,750 in 2008. ChoicePoint apparently had turned off a key electronic security tool that it used to monitor access to one of its databases and failed to notice the problem for four months, according to an FTC statement.
According to the San Diego, California basedPrivacy Rights Clearinghouse, the total number of records containing sensitive personal information involved in security breaches in the U.S. since January 2005 is 341,900,776. To put that into context, according to the U.S. Bureau of the Census, the resident population of the United States, projected to 01/04/10, is 308,422,883.
In the Meantime…
As retailers continue to deal with emerging data security mandates such as PCI DSS, two things are becoming increasingly clear. First, consumers are aware of the risks to their personal information. Secondly, the challenge to ensure customer privacy isn’t only a technology issue – it’s a brand issue that demands a policy-level response.
RSR is currently conducting a study on the merged issues of data security and customer privacy, and although the results are preliminary, they suggest that a there’s a lag between consumer awareness of the personal risk and retailer awareness to the associated risk to their brand that the issues represent.The chart below compares responses to two questions, “to what extent do customers care about the privacy of their information with your company?” and “to what extent do the issues of data security and consumer privacy affect your brand?”
RSR's position is that as more and more information from the customer interface is digitized - whether payment, market basket, receipts, cross-channel orders, social media sentiment, or lifestyle information – the retailer’s brand is inextricably entwined with the issues of data security and customer privacy.
What’s Your Take?
As mentioned, RSR is currently conducting a study on how retailers view the merging of the issues of data security and customer privacy. We'd like to know more about what role protecting the digital asset plays in retailers' efforts to maintain their existing customers (and perhaps steal a few new ones). As always, survey respondents’ information is kept entirely confidential, and we’ll send all survey takers a copy of the report as soon as it is published (February 2010). We’d appreciate your insights – take the survey! Click here or paste the following link in your browser:
|
