As we finalise Retail Technology magazine's annual examination of retails loss prevention and security technology landscape, an unprecedented number of email data security breaches have come to light
Epsilon Data Management, a large email marketing services company, disclosed 1 April that attackers had stolen customer data belonging to several of its clients. While the extent of this breach is still under investigation, the initial list of affected companies has steadily grown to include several global companies, such as major hospitality firms Marriott and Hilton, and big retailers such as Best Buy, TripAdvisor, Mothercare, and Marks & Spencer among others.
Although the email data stolen did not contain any personal identifying information, it could be used to direct spam and phishing attacks. A major global data breach such as this, which was also preceded by a similar breach affecting the email service providers of Play.com and The Co-operative Group, as well as a security breach at Lush.com, throws the spotlight firmly on improving the levels of security included in retail IT third-party services.
Counting the cost
In addition, recent research from the Ponemon Institute found that, last year, the cost of a data breach rose to £133 per record, and that negligence was the cost of 41% of breaches. Marc Lee, sales director at Courion, the access assurance company, said data breaches can create catastrophic bad press and can have a painful impact on the bottom line.
“Coupled with the new powers of the Information Commissioner’s Office to fine companies in the UK upwards of £500,000 for each instance of a data protection failing, the final overall cost of a breach or loss could very quickly dwarf the £4.5 million average cost per incident revealed by the Ponemon research. Organisations need to better understand where their greatest sources of risk reside as well as who is accessing sensitive data, how and why. It is the organisation’s responsibility to track activity and make sure that access to the most sensitive data is only granted to those for whom it is necessary to do their jobs,” he warned.
Adding to the already complex and threat-filled security landscape for retailers online, CyberSource recently released its seventh annual UK Online Fraud Research report on the impact of online fraud for digital goods merchants. The report found the fact that nearly three quarters ranked online fraud as their greatest business threat. A further 40% of digital goods merchants had stopped accepting orders from outside the UK due to fraud risk, and many were embracing sophisticated anti-fraud tools such as internet protocol (IP) geolocation more rapidly than other sectors – 36% of digital merchants used this tool compared to 10% of physical goods retailers.
Making multichannel secure
But in these straitened times, multichannel retailers have much more than their digital boundaries to protect more effectively, as our look at findings of the independent Retail Fraud survey demonstrate (page 15). Key findings include low levels of investment in fraud management systems, a disconnect between store and online shrink, increased trends in return goods fraud and poor contactless payment adoption rates due to perceived deployment costs.
Stanley Skoglund, Visa payment system security senior vice president, told Retail Technology: “Face-to-face fraud in the UK retail environment was down 6% in the last year. Much of this reduction is due to the success of the UK's full transition to chip and PIN five years ago. Visa Europe is looking to encourage retailers across Europe, who have not equipped themselves for EMV chip acceptance or who still process a significant percentage of transactions using magnetic stripe with an incentive to update their systems.” He said the new Visa Technology Innovation Programme would help face-to-face merchants meet their Payment Card Industry Data Security Standard compliance requirements and reduce their overall security costs.
“Only by working with retailers on all areas of acceptance and card data storage can we hope to prevent fraudsters who are always looking for weaknesses. For this reason Visa Europe has also issued best practice guidelines on Data Field Encryption and tokenisation to help retailers understand potential risks and develop their systems accordingly," added Skoglund.
You can access the March/April 2011 issue of Retail Technology magazine, by registering to receive free it in its electronic online format here.