Equifax and E-Commerce: What Online Retailers Need to Know About the Breach

Consumers, financial organizations and retailers alike are still reeling from Equifax’s announcement of a data breach that may have affected 143 million Americans, as well as other consumers in the UK and Canada. It’s not the largest data breach — last year Yahoo admitted to a breach affecting as many as 1.5 billion customers — but it’s very large. It’s also very serious.

In order to protect themselves and their customers’ data, online retailers need to understand why this particular breach is so dangerous, how it will impact their businesses, and what they can do to prepare for future fraud attacks.

The Danger of the Equifax Breach

The problem with a breach affecting a company like Equifax is that the data stolen is so sensitive. Equifax collects and maintains people’s personal financial information, so the hackers gained access to names, birthdates, Social Security numbers and home addresses. Just imagine what an unscrupulous person could do with that information.

At Forter, we’ve been able to track the growth of identity theft over the last few years. The more data a criminal has access to, the more complete the picture of their victim will be, and the more damage they can do — e.g., setting up or taking over bank accounts and credit cards, gaining access to medical files and so on. The Equifax breach included a lot of data, which is what makes it so dangerous for consumers.

That’s why one of Gartner’s security and fraud experts, Vice President, Distinguished Analyst Avivah Litan told The New York Times that “on a scale of one to 10 in terms of risk to consumers, this is a 10.”

The Impact on E-Commerce Merchants

The “good” news for online retailers is that when a breach is as serious as this one appears to be, e-commerce generally isn’t the first place a criminal will turn. There are more lucrative and more damaging things that can be done with this kind of information than stealing from an online retailer. After all, these are the crucial pieces of data that can be used to access medical histories, bank accounts and employee accounts.

However, this doesn’t mean retailers will go unscathed. For one thing, credit card numbers for 209,000 consumers were stolen, and those are very likely to make their way into the marketplaces of the online criminal ecosystem. Many of them will probably be used in attacks against online retail, which can be an efficient way for crooks to turn credit card data into lucre.

Secondly, even when an identity is faked or stolen for another even more nefarious purpose, that doesn’t mean it won’t also be used to steal from an e-commerce merchant, either afterwards or as an afterthought. Criminals don’t like to waste data or opportunities. Having put effort into building or breaking into a profile or account, they prefer to maximize the potential profit that can be generated. For them, it’s a matter of maximizing their return on investment.

One Breach Following Another

Past breaches such as those at Target and Home Depot were followed by periods of increased fraud attacks against online retailers. It’s probable that the same trend will be seen following the Equifax breach.

Forter already saw a 15 percent spike in attacks last month compared to August 2016. While it’s too early to connect this directly to the Equifax hack, August is an unusual time for a rise in fraud attacks, which normally peak during the holiday season. It’s possible that the breach’s impact has begun.

There have been so many breaches that many people are losing track. Last year alone saw more than 3 billion records exposed across numerous breaches. High-profile breaches in recent years include Yahoo, Google, Verizon, Anthem, Target, Neiman Marcus, JPMorgan Chase, Home Depot, and even the IRS and the Department of Homeland Security.

What Retailers Should Do in This New Reality

It might be unpalatable, but data breaches are a feature of the connected, complex, high-tech world in which we now live. Retailers should invest in security to protect themselves, their customers and their data. They should also prepare for times like the present when a successful breach is likely to have an impact on their business.

Identity theft makes setting up fake but convincing accounts and account takeover far easier. These are threats that all retailers need to be prepared to combat. You can’t just focus on the level of a transaction and checkout anymore; you need to understand what’s going on with your customers at every point of interaction with your business.

Retailers should also ensure that the vendors they work with are held to high security standards. There are certifications such as PCI DSS or SOC which indicate that a company is taking security seriously. Since many breaches occur through third-party vulnerabilities, this is vital.

In terms of the impact on business more directly, it's important that e-commerce merchants don't let their awareness of the increased risk of fraud lead them to turn good customers away. Don’t make your customers suffer for the breach — it’s not their fault! Ensure your fraud defenses can accurately distinguish between a sophisticated fraudster and a customer with a complex shopping story. Be accurate, not risk averse.

One last lesson from the latest data breach: Don’t base your fraud defenses on static data. It can be stolen — and it may well have been. The days of being able to rely on unchanging CVV numbers or AVS matches are over. Leverage cyber intelligence, behavioral analytics and everything you can deduce about the connections between accounts and individuals to support your fraud prevention efforts. Your customers, both genuine and fraudulent, are dynamic. Make sure your fraud prevention is too.

Michael Reitblat is the co-founder and CEO of Forter, a provider of fraud prevention solutions for online merchants.