This week saw Superdrug in the awkward but increasingly common position of having to tell customers that their personal information may have been exposed online.
The chain told shoppers in an email that information including names, addresses, dates of birth, phone numbers and loyalty balances might have been accessed. It stressed that the information did not include payment card details, however.
Superdrug said hackers may have obtained data on around 20,000 customers, although this had not been confirmed. It claims that the customer’s email addresses and passwords were obtained from other websites and used to access their accounts on Superdrug.
The hack comes at a time when data privacy is a major talking point, following the introduction of the EU’s General Data Protection Regulation in May.
InternetRetailing spoke to cyber security and retail experts to get some insights on what can be learned from this latest attack.
Not if, but when
David Jacoby, senior security researcher at Kaspersky, says that since retailers are always likely to be attack targets it was crucial to secure data against when attacks break through.
“While the number of data breaches such as this continues to fluctuate, it’s still clear that breaches are not a matter of ‘if’ but ‘when.’”
He highlights encryption as a key requirement to protect data even in the event of a breach, saying that many companies are not employing it at the levels needed to reduce the magnitude of these attacks.
“Retailers should take a step back and re-evaluate their security strategy, especially in the eCommerce industry.
“A full lifecycle security plan includes thoroughly educating themselves and their employees, equipping themselves with the best tools to protect themselves against attacks and making sure they are using the most reliable resources for zero-day detection are implemented.”
Trust is crucial
Jean-Michel Franco, director of data governance products at data integration specialist Talend, emphasises the importance of retaining customer trust in the light of such breaches.
“Customers are happy to provide retailers information such as their size, favourite colours and budget to receive personal recommendations based on these preferences.
“If consumers opt out of sharing this kind of personal information, this is a disaster for retailers as it removes one of their opportunities to create a unique selling point.”
Franco adds that the introduction of the GDPR had brought the issue to the forefront of consumer minds.
“In light of this heightened importance placed on data protection and privacy, businesses need to have robust policies in place to avoid regulatory sanctions and negative headlines.”
Visibility is crucial to this, he says.
“They also need a data management infrastructure that is fit for purpose, knowing what data they have, where it is stored, and what policies their cloud providers have in place to protect and secure it.”
Helen Goldthorpe, Associate in the Commercial team at Shulmans LLP, highlights that retailers in Superdrug’s sector could face particular challenges here.
“Data security is a particular issue for Superdrug as even though this breach only appears to have affected limited information, as the retailer expands into providing services such as botox the company is likely to hold more sensitive medical information,” says Goldthorpe.
“Customers will be asking whether Superdrug can be trusted to handle this if they cannot even be trusted to handle less sensitive data.”
This is a particularly important consideration in the light of evidence that consumer trust of eCommerce sites to handle data is already low; a survey of 2000 adults by product finding engine Zwoop found that 67% of UK adults and 69% of US adults were uncomfortable with how eCommerce sites use data.
A layered approach
Personally identifiable information obtained in such breaches could “easily fuel synthetic identity fraud and identity theft”, says Ryan Wilk, VP at Mastercard subsidiary NuData Security.
Wilk highlights technologies such as passive biometrics and behavioural analytics as ways around this.
“These technologies can’t prevent system breaches but can protect companies from post-breach damage, as they identify users based on data beyond their personally identifiable information, which can’t be stolen,” says Wilk.
Jacoby of Kaspersky also talks up the potential of biometric technologies in replacing user credentials.
However, he notes that consumers are wary about the technology and suggests that replacing user names rather than passwords would be better.