One of the most notorious breaches in the relatively brief history of cybercrime involved US retailer Target. More than 40 million customer payment card details were compromised as a result of the attack which occurred over the 2013 Thanksgiving weekend.
But that was just when the attackers struck – they had actually hacked into the Target network some months earlier via a weakness in the software which ran the company’s air conditioning system. They bided their time until a busy shopping period to maximise the value of their loot.
Payment details aren’t the only things of interest to the criminals. “The risks arising from online purchasing are not limited to the payment aspect of the customer journey through a retailer’s ecommerce platform,” says Dermot McGirr of Pinsent Masons law firm.
“While online profiles and broader information on purchasing habits used for targeted advertising and understanding consumer behaviour have intrinsic value for retailers, such data is also a high-value commodity for cyber criminals as it can be used for targeting in sophisticated phishing scams and similar targeted criminal activities. It is therefore paramount that retailer’s security regimes cover the entire customer journey and not simply the payment aspect.”
Hijacked
And the journey can be hijacked. "One particular risk for retailers to be aware is that of consumers being intercepted as they go through the online customer journey and being diverted unwittingly to a third-party site," McGirr notes. "This is what happened in an incident reported in 2018 when British Airways customers were diverted to a fake website and customer details were harvested by attackers. This resulted in one of the largest intended fines ever announced by a data protection authority in the EU."
The fine could be as high as €200 million but the final figure has yet to be decided.
According to Prof Kevin Curran of Ulster University, retailers must invest in best practice if they are to protect customers. “It comes down to the intelligence of the chief security officer,” he says. “Things like loyalty schemes hold a lot of personal information about customers and it is crucial that it is kept secure. Retailers should only collect data that is necessary for them to do business. That’s one of the problems with Covid-19. Retailers are collecting data that they didn’t have to before now. That data has to be transferred onto systems at some point and it has to be protected.”
He advises companies to take a systematic approach to the issue. “It starts with a proper risk assessment,” he says. “Retailers have to look at what data they hold and what damage a breach could do. After that they need put a security policy in place. That policy should include a response plan in the event of a brief as well as training for employees on safe working practices. They should plan for a cyberattack and prepare for it. They should look at ways of containing a breach and managing it. That means knowing who is affected by it and notifying them. Organisations should be as transparent as possible.”
Nicola Barden of Pinsent Masons agrees: “Where a security incident does occur, it is important for retailers to be prepared and have an incident response plan ready to go. The first step on any such plan should be ensuring that news of an incident is contained within the business and that information should be only provided on a need-to-know basis within the business. The reason for this is that when a cyber incident occurs, time is of the essence, not just to contain the incident but also to notify the relevant data protection authority and affected individuals, where required.”
“The business will want to ensure that such notifications are managed both in a legally compliant manner but also in a manner which seeks to mitigate the potential reputational damage,” Barden continues. “Retailers should be ready with an incident ‘war room’, including lawyers, PR experts, insurers, crisis management specialists, and IT forensic investigations to ensure comprehensive management of the incident. In our experience, having a single lead person who oversees the response plan is a key aspect of managing the incident effectively.”
They should also fulfil their legal obligations. “Under section 19 of the Criminal Justice Act, it is mandatory to report cyberattacks to the gardaí,” Curran points out. “Under GDPR, breaches have to be reported to the Data Protection Commissioner.”
Barden explains the nature of the fines which companies may incur under GDPR. “In practice it is important to understand that where there is a data security breach which leads to fines being issued under the GDPR these are not handed down because the security breach happened,” she says.
“Rather they are because the data controller in question, in this case the retailer, did not have appropriate security measures in place to protect their systems. Data Protection Commission guidance in this area points to using multi-factor authentication and strong passwords to identify customers but also ensuring security behind the customer’s journey, using measures like encryption and firewalls to keep hackers out. The message for retailers is that they should concentrate on their security measures, ensuring they are regularly reviewed and aligned with current best practice. Where a retailer suffers an attack in spite of having robust security in place then it will be in a stronger position to defend itself against the additional burden of a potential GDPR fine.”
Data protection law
Fines are not the only penalty. “Retailers should also beware of the potential for group litigation following a cyber or security incident,” says Barden. “Under Irish data protection law, an action can be brought on behalf of the customer or group of customers by a not-for-profit body, organisation or association who are active in protecting data subject rights. Group claims for cyber and security incidents are a new and developing area and, for retailers, could potentially dwarf the fines that might be handed down by the Data Protection Commission.”
There is also the risk of reputational damage. “It goes without saying that an incident which results in the loss of control over customer data can have a negative impact on customer relations, levels of customer trust in a brand and cause general reputational damage to the business.”
The message for retailers is clear: plan for when, not if, a cyberattack will happen and be ready to inform customers, regulators and the Garda as soon as possible.