The retail industry faced unprecedented cyber crime conflicts in 2014 with a barrage of data breach incidents that exposed hundreds of millions of retail customers to the long and often international reach of a growing breed of criminal. Data breaches and other cyber-crime insults were a regular and consistent occurrence across retail channels, resulting in significant changes in both approach and practice for many retail organizations.
Cyber crime remained a primary topic across digital channels once again in 2015 with cyber criminals hacking into everything from the Ashley Madison database—which proudly boasts it is “the most famous name in infidelity and married dating” website—to prison phones to CIA Director John Brennan’s AOL account. Personal information belonging to more than 178 million Americans was exposed in cyber attacks, according to the Identity Theft Research Center.
Lessons learned took us in several different directions. Government data breaches including the breach of the Office of Personnel Management exposed the personal information of tens of millions of Americans and made it clear that our own government agencies are actually lagging behind in the area of data protection and are in desperate need of fortification. On the other end of the spectrum, the self-proclaimed adulterers’ website claims that the publicity from the data breach has actually increased their traffic and popularity. Go figure.
Retail Cyber Crime
The retail industry has responded aggressively to the threat of cyber crime, increasing awareness, enhancing education and training opportunities, restructuring responsibilities, and adding new positions to better prepare for such threats. But while the industry didn’t face the bombardment of attacks that occurred in 2014, retailers certainly didn’t escape unscathed in 2015 as the following examples illustrate.
Pharmacy chain CVS was forced to take down its online photo print ordering site as the result of a data breach. Walmart Canada then reported it was investigating a similar breach of its online photo website, which the company said was operated by a third party. That same third-party provider claimed to be working “with over 19,000 retail locations and 8,000 kiosks to generate more than 18 million transactions for personalized products.” Retailers reported to be working with the third-party provider included Sam’s Club, Walgreens, Costco, Tesco, Rite Aid, among others. Credit card data, email and postal addresses, phone numbers, and passwords were taken, but it’s not clear how many millions were affected by the breach.
Credit bureau and consumer data broker Experian disclosed that a data breach involving its computer systems exposed approximately 15 million social security numbers and other data on people who applied for financing from wireless provider T-Mobile. While Experian stressed that no payment card or banking details were stolen, the compromise exposed names, dates of birth, addresses, social security numbers and/or drivers’ license numbers, as well as additional information used in T-Mobile’s own credit assessment.
From a more global perspective, perhaps the UK’s largest cyber crime of the year involved Carphone Warehouse, a retail phone store. As many as 2.4 million customers (roughly 4 percent of the country’s population) had their personal information compromised as part of the data breach, with approximately 90,000 customers having their encrypted credit card data stolen.
A Different Kind of Cyber Crime
When cyber crime involves the theft of information from children, the ruthless nature of some of these hackers becomes crystal clear. In one of the largest data breaches of the year, toymaker VTech suffered a major data breach with reports claiming that personal data for as many as 12 million records, including 6.4 million minors was exposed. This was followed by a data breach of the online community for Hello Kitty, which exposed the first and last names, birth dates, genders, countries of origin, and email addresses for 3.3 million accounts.
While the data breaches don’t appear to be related, this particular brand of cyber crime is notable because children’s personal information was compromised. Data security experts say children have become a popular target for identity theft because their clean credit histories can be used to apply for government benefits, open fraudulent bank and credit card accounts, and apply for loans.
This also points to additional concerns involving retail products in general. All kinds of new “smart products” are making their way onto the shelves of retail stores, from smart watches, televisions, and other electronic devices to children’s toys. A mountain of new products may offer exciting new ventures for retailers and retail customers alike. However, many may not be designed with data protection and cyber security as a top priority, which may lead to further exploitation and the emergence of a different type of cyber crime. This may or may not directly impact a retail organization or the way that a loss prevention program operates, yet such issues do have the potential to influence everything from retail sales and product returns to the way that certain products are managed and displayed.
We’ve experienced cyber crime involving the release of personal and sensitive information, such as the Sony data breach from late 2014 that included personal information about Sony Pictures employees and their families, emails between employees, information about executive salaries at the company, copies of then-unreleased Sony films, and other information. The Ashley Madison data breach is another example of this type of cyber attack. But there is another type of malware that takes cyber crime to the other end of the spectrum.
How much would the average consumer be willing to pay to regain access to their television or home computer? How much would a retailer be willing to pay to regain access to its corporate files or POS system?
Ransomware is a type of malware that prevents or limits users from gaining access to their systems . The cyber criminal then threatens to lock the user out permanently or delete data, forcing infected victims to pay a “ransom” using certain online payment methods in order to regain access to their systems or retrieve their data. Some industry experts believe that this type of “cyber extortion” might lead the next wave of cyber crime.
In December 2015, a report by the International Data Corporation estimated that 3.2 billion people, or 44 percent of the world’s population, will have access to the Internet in 2016. The flow of information across digital channels serves as a beacon, warning us of the latest threats. And as cyber crimes continue to increase on an international scale and cyber threats expand in both the public and private sectors, the pressure for governmental response will continue to escalate. Many experts expect a push for additional legislation dealing with threats, reporting, data protections, and ways to help support the millions of victims of data breaches—some of whom never learn that their information was exposed.
By the same respect, retailers must continue the push toward cooperative partnerships between loss prevention and information technology departments, continuing education and training programs, and proactive strategies to minimize cyber threats and protect company assets. Staying current with these threats has become a professional responsibility, while being prepared has become a business necessity.