Retailers face criticism for failure to protect customer data
Despite lessons learned from past data breaches from Target, Home Depot and others, an epidemic of breaches is hitting the retail industry.
- On March 29, Under Armour announced that 150 million user records of its MyFitnessPal app had been breached. Usernames, e-mail addresses and hashed passwords were exposed.
- On April 1, Hudson’s Bay said data from card payments in some of its Saks and Lord & Taylor stores in North America had been compromised. Reportedly, data was stolen from five million cardholders.
- On April 3, Panera said fewer than 10,000 customers had been affected by a leak. Names, e-mail and physical addresses, birthdays, the last four digits of user credit card numbers and loyalty card numbers were compromised.
- On April 5, a breach tied to Sears’ chat network provider provided unauthorized access to less than 100,000 of its customers’ credit card information. On April 6, Best Buy said a “small fraction” of its online customer population may have been affected by the same leak.
The 2018 Trustwave Global Security Report found breaches affecting checkout systems in stores comprised 20 percent of incidents investigated by the firm in 2017, down from 31 percent the year before. The improvement was attributed to the arrival of chip-enabled credit cards and other defensive steps.
E-commerce incidents, however, expanded to 30 percent of cases, up from 26 percent in 2016. Increased connections with third-party firms, including vendors and credit card processors, was seen adding vulnerabilities to e-commerce.
Many reports reprimanded retailers for not protecting customer data. Chris Hoofnagle, a professor of information and law at the University of California at Berkeley, told The Washington Post, “Security is difficult and expensive, and no one wants to do it.”
Writing for Bloomberg, Sarah Halzack believes retailers aren’t incentivized enough to clamp down on breaches because share prices are rarely affected. The social media backlash has been minimal because consumers have grown used to the hacks. Wrote Ms. Halzack, “Consumers should not accept these conditions as ordinary. Retailers and the payments industry will surely do better if they sense their customers will flee — or at least be indignant — if they do not.”
- Panera’s data breach puts attention on the risks of loyalty programs – The Washington Post
- New Trustwave Report Depicts Evolving Cybersecurity Threat Landscape – Trustwave
- Protect yourself against cybercriminals hitting online retailers – San Francisco Gate
- How to Keep Your Information Safe After the Saks, Lord & Taylor, Under Armour Data – Footwear News
- Sears Joins Growing List of Retailers Managing a Data Breach – Sourcing Journal
DISCUSSION QUESTIONS: Do you see retailers increasingly facing greater vulnerability to online breaches versus in-store? What’s the next step the industry may need to take to address data breaches?
Join the Discussion!
31 Comments on "Retailers face criticism for failure to protect customer data"
You must be logged in to post a comment.
You must be logged in to post a comment.
Principal, Retailing In Focus LLC
The Target breach was one of the first and biggest, but every week seems to bring a new headline about data security. And retailers’ problems have metastasized through alliances to social networks like Facebook with big issues of their own. But consumers’ migration to mobile commerce keeps gaining speed anyway, despite these breaches of trust.
Chief Executive Officer, The TSi Company
There is no doubt that hackers are doing tremendous damage and things will only get worse unless all businesses start to address the predicament. The problem is so many businesses and retailers are too busy chasing after the next technology rather than taking a good hard look at where they presently are and how vulnerable their systems are to hackers.
It’s quite unfortunate, and it is only when their business gets attacked and customers sue them and leave that they begin to take the matter seriously. That is stupid and quite sad. The problem is they don’t see the bang for their buck investing in security because they already have those customers and their primary interest is going after new ones. But without reliable security, it is only a matter of time before their systems get hacked and there is great damage. Retailers must take this problem seriously and protect their customers and ultimately their business.
Founder, CEO, Black Monk Consulting
Some cybersecurity experts will tell you there are only two kinds of data banks: those that have been hacked and those that haven’t figured out they have been hacked. The fact is encryption systems haven’t proven very effective against dedicated attempts to crack them. We’ve moved from the proto-hackers who cracked into databases to prove they could to organized criminals who realize how much that data is really worth on the open market. It was tough to stop the former and without blockchain-level encryption it may be impossible to stop the latter. All industries, not just retail, have to poll their resources to address the issues of data privacy and cybersecurity. But the problem may be that any system invented by people will be able to be breached by people. Will AI or some other technology solve the problem? My vote, the jury is still out on that one and will be for decades.
Managing Director, StoreStream Metrics, LLC
Retailers have had to rapidly re-engineer their technology infrastructure over the past five years to meet the expectations of today’s digitally-empowered shoppers. Given this rapid transformation coupled with the rise and acceptance of social media in the shopping experience, e-commerce and click and collect initiatives, it’s not surprising that we’re seeing a rash of hacks and security breaches. I suspect that with the pressure to keep pace with the technology superpowers, retailers are not as robust and secure as their technology counterparts and competitors.
President, Max Goldberg & Associates
Retailers ignore or pay lip service to customer data security at their own peril. With the Facebook data scandal in the news, the heat of the spotlight will focus on all data collection. Retailers, as much as they would prefer otherwise, need to protect consumer data, and that may mean shouldering the expense of moving from chip and signature credit cards to chip and pin.
Principal, Frank Riso Associates, LLC
I do agree that retailers are facing greater vulnerability to both online and in-store breaches. The industry needs to be completely dedicated to preventing these attacks in every aspect of their systems. POS systems, mobile computers, wireless providers and all solutions using them need to identify for the retailer what they offer to prevent an intrusion. Secondly, retailers need a dedicated team that works only on the prevention of an attack — much like database management was a specialty, we now need a new team of specialists. Retailers and solution providers need to work together to prevent attacks!
Founder and CEO, CrunchGrowth Revenue Acceleration Agency
All channels are vulnerable. Online, in-store. However, there are some fairly inexpensive steps that e-commerce retailers can take quickly to minimize breaches such as separating the website database from the customer database on different servers connected through secure firewalls. Encryption on checkout pages is fairly common and inexpensive.
I agree that the store-level security is costly, but the correct focus and directives put on the problem can solve it quickly and efficiently.
Retailers need to feel the pain of a consumer backlash before taking action.
Principal, Anne Howe Associates
My answer to being involved in the MyFitnessPal app breach that I just got notified about this morning: delete the app for good. Period. A breach in trust of this nature signals the END of the relationship. Retailers that won’t invest in data security don’t deserve my business.
Co-founder, RSR Research
Were you a paying customer? I am a non-paying customer and decided I didn’t care if a bunch of Russians know what I eat every day.
Co-founder, RSR Research
Retail Transformation Thought Leader, Advisor, & Strategist
Agree with you, Paula, 100%. Retailers obviously have a key role to play here, but the banking and payments industry has to play their part and take their leadership role as well. They can’t just sit idly by and blame retailers for everything.
Global Retail & CPG Sales Strategist, IBM
All companies, retailers, CPGs, everyone needs to take this issue seriously, and technologically. Talk is cheap, and talk solves nothing if actions do not follow. There are tools available today that can really minimize risks for data breaches and they need not be massive capital investments. There is no question that those organizations that don’t take definitive steps to mitigate these risks are vulnerable, however there are plenty of great examples of retailers and CPGs that have implemented the right capabilities to fend off the majority of these attacks.
Principal, Cathy Hotka & Associates
There are two issues here. Retail is an industry that underinvests in IT, and therefore in data security, and retailers’ name recognition makes breaches into juicy news stories. We’re going to keep seeing these stories.
Strategy & Operations Delivery Leader
As the lines blur between online and in-store shopping, it’s absolutely imperative for retailers to double down on their data privacy standards. Regardless of whatever channel consumers ultimately shop, their data is flowing through the retailers’ systems. Personal data, particularly credit card history, has to be the most protected information between the retailer and their loyal consumers.
This is all a critical part of the trusted consumer and retailer relationship. Retailers are now faced with the need to be open, fully transparent about their data privacy policies, and to seek ways to eliminate future data breaches. With the onset of chip technologies, credit card encryption and mobile payment devices that do not share your credit card numbers, one would hope that these mechanisms, combined with a locked down and secure retailer ERP transaction system, will mitigate these issues in the future.
Chief Customer Officer, Incisiv
This morning I read a fascinating piece from Oct 2015 about the collection and storing of data. Here we are 2.5 years later and the problems have only magnified. Whether the breaches are happening online or in-store, the current culture of collecting anything and everything about customers in the hopes that it can be analyzed for insights later should be looked at. Retailers should do an exercise to determine what data is absolutely necessary to collect, what can be collected and purged in a short window and what data is absolutely necessary to keep. Oh, and then there’s the promise of blockchain. This has real interesting potential and as the technology breaks from the association with cryptocurrency — retailers should be looking at the cybersecurity applications.
Independent Board Member, Investor and Startup Advisor
Data breaches are fueled by an increasing number and types of transactions irrelevant of where they take place. These same breaches are also facilitated by economic incentives in the form of an illicit and seemingly liquid market for stolen identities.
There is growing awareness of the damage these breaches cause in people’s lives and the danger that these will become normalized as the “cost of doing business” for companies and consumers alike.
Data breaches cannot be regulated out of existence nor can they be completely eliminated; incentives are too high for malicious hackers to cease and desist. What retailers and any consumer-facing company can do is conduct thorough audits (and necessary structural changes) to what, where and how consumer data is collected, processed and stored. On the other side, retailers need to expect a more forceful response from their customers as the very personal damage of the various data breaches begins to be felt.
Strategy Architect – Digital Place-based Media
I wonder if consumers are not becoming deaf to data breaches. They seem to have become a way of life as the connected, convenienced public endure these losses, watch the finger-pointing of blame and hear of the remedial efforts by brands. Security is a war in which every battle matters.
President, Global Collaborations, Inc.
As more companies ramp up their online shopping and the competition between retailers increases, consumers have choices. Companies that do not actively work to protect their data, the use of their data, and consumers who have been hacked face the likelihood that consumers will stop shopping with them. If products are available in many places at similar prices, consumers do not have to shop with retailers who are not making an effort to protect their data.
President, Ipsos Retail Performance
All businesses have increasing vulnerability as we all move online both directly and through back office services and via service providers. Many of the breaches should be considered a warning that information can be obtained maliciously. It is for all to take heed of the warning signs, although the equivalent of a “bank heist” due to data access has yet to manifest itself as far as I am aware. Consumers will increasingly look for more assurances that they are being protected as they become exposed to the risks more often.
Retailers need to plan for this inevitability and the rising expectations in this area by consumers as they will learn by experience of the need. A very simple action could be to pass the risk on to your suppliers of services to make sure they are meeting the highest security standards, for example a common standard to be expected is ISO 27001.
CEO, President- American Retail Consultants
Our data is not secure. Whoever has it is not protecting it sufficiently, and certainly not doing all that they can do to afford our data the protection that it deserves. The lack of true repercussions and the cavalier approach to managing data is the reason why so many breaches have happened. We need to demand more from the holders of our information, starting with a gold standard for protection and data security that everyone must have.
Head of eCommerce, Tuft & Needle
Data in security breaches is ripe for the taking as known vulnerabilities continue to be exploited. Just as the industry moved to chip and signature/chip and pin, the industry should be making investments to protect their consumers’ data.
Now is as good of a time as ever to incorporate security policies and processes that limit these exposures. It’s not a matter of if consumers will care or not; these breaches will only continue to get worse until these retailers put a stake in the ground and do what’s right for their consumers.
Consumer Advocate, finder.com
The crims have overtaken retailers in terms of sophisticated tech. It’s way too easy for them to snaffle the data of unsuspecting shoppers. Banks have picked up their game (as they are often left footing the bill) in terms of data security and its time the retail industry also rises to the challenge. As long as there are hackers, data will never be 100% safe, but we can certainly improve.
Chief Amazement Officer, Shepard Presentations, LLC
Every day, every hour, every minute and every second, hackers are attempting to penetrate the security efforts of companies who are holding customer data. The industry needs to assure their customers of the level of security they offer, the insurance they offer as part of that security should there be a breach, and what they are doing to keep up with the changing methods and technologies that make them vulnerable. Retailers must convince customers their data is safe from cyber-criminals, and their data won’t be abused (with excessive promotion) from the company. Once the customer doesn’t trust the company, there may not be a second chance.
Retail Transformation Thought Leader, Advisor, & Strategist
In the question of breaches, it’s so easy for Monday morning quarterbacks to claim something more should have been done. But retailers (and anyone else working in cyber security) seem to be working in a situation dominated by two truths:
That’s no excuse to relax retail vigilance on the issue. Every time I see a story like this I’m torn between anger that the bad guys always find a way, concern that retailers might not have done enough, and sympathy for the retailer because they are in a no-win situation.
Retail Tech Marketing Strategist | B2B Expert Storytelling™ Guru | President, VSN Media LLC
Chief Marketing Officer, Verve
Managing Partner Cambridge Retail Advisors
Data breaches aren’t going away and retailers need to make customer payment and data security a priority. While payment data breaches have garnered most of the headlines, and consumers feel the pain when they need to cancel breached credit cards, fraudsters continue to move to the next most vulnerable place to get sensitive data that they can sell or try to use for identity theft.
Retailers need to focus on all data, beyond just payment data. They need to secure systems and networks to lock down their private label credit cards like they do for normal bank cards and treat PII and corporate financial data like they have been treating PCI data for the last several years. It is an never ending battle.
Director of Marketing, Wiser Solutions, Inc.
Shoppers have become desensitized by this problem and it is unfortunate that no retailer is too small or big to be impacted by it. I agree with Sarah Halzack that retailers need to see financial consequences in order to get security correct and complete the process quickly. As retailers are busy improving logistics and trying to get omnichannel right, many are neglecting the safety of their customers. Over time, loyalty might decrease for businesses that don’t take security seriously. While retailers are all busy, they need to put shopper safety first in order to continue earning their business.
Retail and Customer Experience Expert
Retailers will continue to be the targets of breaches. What is interesting is that despite the breaches, I can’t think of a retailer who suffered long-term damage directly attributed to the data breach. Executives were let go, but the brand continues as the population en mass still shops from their favorite retailer.
The responsibility for cleanup after notification falls to the financial institutions processing the payments and the customers’s credit card company.
CEO & Co-Founder, Metric Digital
So glad we’re talking about data transparency. This, IMHO, is the number one issue facing retailers.
But 10 years ago, there wasn’t a standard for transparency. Nobody really had the vocabulary to understand what was going on.
And yet, recent advertising scandals are forcing consumers to realize and reckon with one major issue: How much data is any given internet company collecting on you?
What we tell clients is, look, if your company uses digital marketing channels like paid advertising to drive growth revenue, then you must reckon with this reality too. Because there is the potential for real change here.
Retailers simply have to be vigilant. Especially if they work with programmatic marketing vendors or agencies. Make sure you have access to and own your data. That’s step one before any technology improvements.