How Consumer Data Breaches Are All Retailers’ Problem

By Vahe Amirbekian

The numbers of those impacted by any of the high-profile consumer data breaches over the past few years sound almost comical: 50 million, 150 million and then 500 million.

Is a billion next? It may not matter, considering that the sum total may already be a significant portion of the global population with a digital footprint.

The truth is that the new reality of our digital world paints a simple picture that hackers are stealing data at a breakneck pace. And no one seems safe. The breaches are occurring at companies that pride themselves on cyber security, including those that have been stalwarts of the consumer world for decades. Even companies trusted with the most sensitive data have fallen victim.

But they weren’t the only victims. We all were, and every single retailer could pay dearly. It’s both tempting and a mistake for retailers to breathe a sigh of relief when a data breach happens to somebody else’s business.

Why? Because even if your data is secure, stolen data is everybody’s problem. Stolen personal information very quickly finds its way to the dark web, where crime rings buy and sell credit card numbers, email addresses, social security numbers and more with Amazon-like convenience.

And just as no two data breaches are alike, the criminal fallout for retailers that results from other organizations’ breaches take different forms. Fraud rings that steal credit card numbers take a straightforward approach. They simply purchase goods from a retail site using an unsuspecting consumer’s credit card.

A ring that has stolen names and email addresses is all set to go phishing. Once a phishing operation has a consumer’s name and email address, it can send a well-crafted email that appears to be from, say, Wells Fargo Bank, where the consumer has an account.

The email directs the consumer to a fake Wells Fargo site, where the consumer enters his or her credentials. Once the consumer enters the information, the criminal ring has full access to the consumer’s Wells Fargo account.

In the case of data leaks or breaches that include passwords, fraudsters can sign into sites involved in the beach to directly access accounts — i.e., an account takeover attack. They can also try the leaked passwords on other sites, including retail sites, to see if the password works on them as well. Survey after survey — and crime after crime — show that consumers tend to use the same password over numerous sites, including multiple online stores.

In fact, a recent Signifyd consumer survey, performed by research firm Survata, found that more than half of consumers use the same login information for multiple retailer accounts, which increases their vulnerability to account takeover.

Account takeover is one of the most pernicious and fastest-growing forms of fraud. It can be difficult to detect because the fraudster literally takes control of an unsuspecting consumer’s account and goes on a shopping spree that looks completely legitimate. Data that my team gathered found that account takeover fraud was up 80 percent, no doubt because of readily available personal information.

Finally, fraudsters who have pilfered names, addresses and social security numbers are able to use stolen identities to open a credit line on retail sites that offer them. The crime is as hard — if not harder — to detect as account takeover. A fraudster with a stolen identity appears to be a real customer in good standing who is then offered a credit line that he or she never has to pay back.

How does this stolen, data-fueled crime play out in the real world?

A recent report found that 80 percent to 90 percent of the people logging into a retailer’s e-commerce site are hackers using stolen information. Even Experian reported that e-commerce fraud was up 30 percent.

So, what can retailers do?

Increase vigilance, of course. That means either increasing the staff responsible for reviewing orders for fraud or turning to any of a number of technologies that are able to help identify account takeover and fraudulent orders.

This vigilance, however, needs to be taken seriously and reviewed regularly. Fraud rings have become increasingly sophisticated, so retailers must turn to increasingly sophisticated tools to protect themselves and their customers. This isn't a static game; it's more like an arms race with each party — fraudsters and retailers — trying to one-up the other.

Retailers should view the constant improvement of their fraud protection as an investment in the customer experience. Our study of 2,000 U.S. consumers found that a significant number of fraud victims blame the retailer for their misfortune, no matter who is actually at fault.

The bottom line is that sophisticated cybercriminals know the vulnerabilities and can use stolen data to take the path of least resistance to commit fraud. The data required to commit fraud can come cheap, attracting more and more to the game. And consumers are now more unforgiving when online fraud affects them.

It’s up to retailers to better protect themselves and learn from others’ mistakes. It’s not just about protecting the data, which of course is essential. It’s also about understanding the cumulative effect that data breaches have on the fraud threat facing every retailer and how that threat affects consumer sentiment.

Vahe Amirbekian is head of risk product at fraud protection company Signifyd.