September 15, 2011, 10:55 AM

Retailers have to be on guard

Constant vigilance is essential to protect all sorts of data.

Kevin Woodward

Senior Editor

Lead Photo

Payment data continues to be the most sought-after by thieves, but other types of data, such as employee records and loyalty program information, held by retailers also need protection, says Lisa Sotto, an attorney at Hunton & Williams L.P. who specializes in data security matters.

“Retailers also are employers,” Sotto says. They hold data like employee bank account numbers for direct deposits, Social Security numbers, driver’s license numbers and health data, she says. Criminals who successfully get a hold of that type of data can use it to steal an identity, potentially using the identity to obtain fraudulent credit cards, she says.

Just how prevalent is non-payment data among breaches? Data compiled by the Open Security Foundation in its Data Loss Database shows that of the 369 reported incidents between Jan. 1 to July 21, 335 contained names and addresses, by far the largest type of data stolen. Social Security numbers were stolen in 144 incidents. Only 27 incidents reported the loss of financial data.

Regardless of the type of data to protect, Sotto says retailers cannot assume measures put in place a year ago continue to protect. Criminals change their tactics all the time, she says. “You can’t use yesterday’s tools because criminals are very sophisticated,” Sotto says. “You have to spend resources. It’s critical that retailers invest in this area.”

Sotto also advises that retailers make a point to limit the amount of data they hold. For example, does a loyalty program need to have a consumer’s birth date? If not, do not collect it, she suggests. A thieve can use a stolen birth date with other information, such as an e-mail address, to send a consumer a phishing e-mail in an attempt to get him to divulge additional sensitive information, Sotto says.

Phishing attacks are efforts by criminals to make an e-mail or web site look like that of legitimate brands to typically try to convince unwitting consumers to click to a site controlled by criminals to update their payment account information. Criminals then usually either sell that information to other criminals or use it to conduct fraudulent purchases.

“Making data security a part of the corporate ethos is critical,” Sotto says. It no longer is something to relegate as a secondary concern, she adds.

Comments

Sign In to Make a Comment

Comments are moderated by Internet Retailer and can be removed.

Not a member? Signup for free today!

Advertisement

Advertisement

Advertisement

Relevant Commentary

FPO

Jason Squardo / Mobile Commerce

Five tips for achieving high mobile search rankings

Searches on mobile devices will soon exceed those on computers, Google says. Retailers that keep ...

FPO

Sergio Pereira / B2B E-Commerce

Quill turns to its B2B customers for new ideas

Coming in April is a new section of Quill.com that will let customers and Quill ...

Advertisement