What information does your favorite online store have about you?
If you have your products shipped to you, they have either your home or office address or your post office box. They may have your debit card or credit card information. They might even have your birth date.
Are you a member of a loyalty program with that store? If so, they could match your personal details with your buying history, too.
Retail was the most targeted sector for cyber attacks, according to the 2020 Trustwave Global Security Report.
Data security should be a big concern for merchants with ecommerce sites today — especially if you’re using an on-premise or cloud-hosted (not software-as-a-service) ecommerce platform.
Let’s dig into the details about data breaches, why it’s important for todays’ merchants to understand the dangers and how you can protect your online store from bad actors breaching customer information.
Ecommerce Data Breaches: Examples and Statistics
A data breach refers to an “incident in which information is accessed without authorization,” according to Norton cybersecurity firm.
In 2019, more than 15 billion data records were exposed — a 284% increase from the year prior.
Then, in April 2020, Google reported blocking more than 18 million malware and phishing emails per day related to COVID-19.
1. High profile retail breaches.
There have been plenty of high profile retail attacks in the past decade or so. You may remember the Target data breach in 2013 that affected 40 million customers’ payment information.
Then in 2014, Home Depot reported 56 million payment cards exposed.
In 2018, Under Armour’s MyFitnessPal app was breached, impacting 150 million users’ information.
2. Magecart.
Those individual breaches were significant, but even small businesses end up in bad actors’ crosshairs. Magecart refers to a hacking group that uses skimmers to target customer and payment card data via online stores.
According to CSO Online, Magecart efforts usually have targeted the Magento ecommerce platform.
After Magento 1 was sunset last year and the company stopped patching its security vulnerabilities, nearly 3,000 Magento 1 stores were hit by Magecart-style attacks.
4 Types of Ecommerce Data Breaches
As ecommerce continues to grow, work become more mobile and virtual and we all become more connected via numerous communication channels and transactions on the internet, business is becoming easier.
1. Stolen information.
According to Verizon’s 2020 DBIR report, 30% of data breaches for the year prior involved internal actors — that means, people that worked for the organization were involved in the exposure or theft of information.
It’s unfortunate to think of your own employees compromising sensitive data, but it does happen. And sometimes, it’s by accident.
In the same report from above, Verizon wrote: “Admittedly, there is a distinct rise in internal actors in the dataset these past few years, but that is more likely to be an artifact of increased reporting of internal errors rather than evidence of actual malice from internal actors.”
Even just losing a cell phone, computer or product prototype could put you at risk if that physical item ends up in the wrong hands.
2. Password guessing.
As humans, we tend to think we’re unique. But we think a lot more alike than we sometimes realize.
That’s why, if users don’t practice good password hygiene, bad actors may just be able to guess their passwords. According to a Kaspersky report, 31% of people surveyed have a few passwords that they choose from when creating new accounts and 13% use a template or regular pattern that they can modify to create new passwords.
One complication here is that the consumer data stolen in large data breaches doesn’t always include payment card details.
Sometimes it yields information like addresses, birthdays and personal information like children’s names, etc. These types of information can be used to guess weak passwords — how many of your passwords include your birthday or pet’s name? Many people are hacked simply because their password was too easy or guessable.
3. Phishing.
The term “phishing” refers to a number of different attack vectors, but they all have one thing in common: social engineering. Phishing was responsible for more than 20% of data breaches, according to Verizon’s DBIR report.
Attackers use social engineering to convince people to click on dangerous links, enter their password information, or provide other sensitive information that can then be used to exploit a person or system.
One example is receiving an email from “your CEO” at work asking you to complete some kind of urgent task that involves moving money around or responding with sensitive information. (Pro-tip: that’s probably not your CEO.)
Another example could be an email that looks like it’s from your bank asking you to log into your account. The link from the email may take you to a spoofed page of your bank’s login. It can look remarkably similar, but if you enter your login details here, an unauthorized party is going to see them.
4. Malware virus.
Microsoft defines malware as “a catch-all term to refer to any software designed to cause damage to a single computer, server or computer network.”
Malware could be used to move/steal data, wipe data (or threaten to, in the cases of ransomware), insert keyloggers that record every keystroke you type on your computer, and more. Magecart uses a type of malware to infect vulnerable ecommerce websites. The most common vector for malware (at nearly 40%) is through users clicking on suspicious links via their email, and download of infected email attachments accounts for another approximately 15%.
Cost of an Ecommerce Data Breach
Businesses bear the burden of protecting the private information that they collect from consumers, whether they’re storing or transmitting it. That responsibility means they also may see consequences from the mishandling of information.
The cost of a data breach isn't all green money. You may also see a hit to customer trust and brand reputation, and don’t forget all the blood, sweat and tears that go into remediating a data breach. Let’s dig into the three types of costs that make robust data protection on the front end more than worth the cost.
1. Financial implications of a data breach.
If you suffer a data breach that exposes your customers’ sensitive information, you could be liable for damages. The Home Depot number we mentioned before is an uncommonly large amount of money, but the cost of the data breach does seem to be directly correlated to the size of the data breach.
You can reduce your damages by identifying and containing incidents sooner, but remember that you’ll need to consider all the costs surrounding:
Cost of patching the vulnerability
Compensating victims for damages, if necessary
Expenses related to litigation
2. Customer trust after a data breach.
In early ecommerce, trust may have played an even greater role in conversion. Paying over the internet — still a very abstract concept for many people at the time — just seemed risky.
Today, purchasing products from ecommerce businesses or marketplaces like Amazon is second nature. But that doesn’t mean trust is no longer important. It means you might get their unearned trust from the beginning, but if you break it, you buy it.
If a data breach does occur, make sure you report it immediately to the appropriate parties and communicate fast and openly with any affected customers. Handle those communications and interactions well and you might even win more trust, instead of less.
3. Brand reputation impact.
Losing your customers’ trust is perhaps one of the most damaging things that can happen to your business. But losing the trust of those who aren’t yet customers can really impact your brand’s reputation, potentially even driving away potential customers who weren’t yet aware of you.
Brand reputation is important. That’s why enterprise organizations sometimes spend millions of dollars and countless hours working to build it. When one single data breach could put all of that in jeopardy, you begin to see how important it is to ensure all the best practices for cybersecurity on your particular infrastructure are followed.
How to Protect Your Store From a Data Breach
While some of this article may have sounded a little intimidating, it doesn’t have to be difficult to take the necessary security measures to protect your ecommerce store from a data breach. You just have to be diligent and follow best practices for your particular ecommerce architecture and infrastructure.
1. Choose the right ecommerce platform.
Different ecommerce platforms might have different requirements for security from you as the merchant. For example, with Magento, you’re responsible for patching security vulnerabilities — and if you’re on Magento 1, which is no longer supported by the company, you won’t be able to rely on them issuing patches for discovered vulnerabilities.
SaaS platforms, on the other hand — like BigCommerce — often have some level of security built in. Since you don’t own the servers or the software itself, the platform’s developers are still responsible for security.
2. Use SSL encryption.
SSL stands for Secure Sockets Layer. It’s an encryption-based security protocol for the internet, developed to ensure privacy, authentication, and data integrity. You know a website has SSL encryption if it uses HTTPS in the URL instead of HTTP.
3. Selectively collect customer data.
Personally identifiable information (PII) on your customers is one of the most important things you have to protect. And, if you’re breached, it could cost you. But you don’t have to protect what you don’t have — so make sure you have a legitimate, important reason to collect every piece of information you store. If you don’t need a piece of data, don’t collect it.
4. Use a malware scanner.
You can use a security solution that scans for malware to regularly ensure that your device is free from attack. While your platform provider may be securing your ecommerce solution — or you may have a third party helping to secure your business’ servers, if you have an on-prem solution — it’s still a best practice to make sure your device doesn’t get infected.
Conclusion
In ecommerce, part of the way we deliver personalized shopping experiences and continually improve service is through analyzing the data from our stores and customers. And delivering that service well is part of what instills in customers the trust they need to provide us with that information.
It’s our duty to protect it — but there are a lot of bad actors out there who want it, too. That’s why securing against data breaches is such an important part of being a merchant.
Unfortunately, data breaches can wreak havoc on your business, and not just until the mess is cleaned up. They can have long-term impact on customer trust and brand reputation. But the good news is that there are a lot of precautions you can take to protect your business and your customers.