The number of those affected by high-profile consumer data breaches in the past few years is staggering; 50 million Facebook users were stung in 2018, whilst British Airways revealed back in October 2018 that over 185,000 passengers may have had data stolen in a breach. It’s evident that hackers are becoming more and more sophisticated and are now able to steal data at an alarming pace.
As hackers’ skills strengthen, it seems no one is safe. Even companies that pride themselves on cyber security are at risk: take the Equifax data breach in 2017 for example which affected approximately 148 million people. Worryingly, those that are trusted with the most sensitive data are just as vulnerable.
Within the retail space, the repercussions of consumer data breaches are just as far-reaching and with e-commerce fraud reportedly up 30%, it’s time for retailers to pay attention to the bigger picture. One attack on a single retailer negatively impacts all merchants in one way or another – they are all victims. It’s tempting for retailers to breathe a sigh of relief when a data breach happens to somebody else’s business, but they’re mistaken because stolen data is everybody’s problem. The original breach has a long-lasting ripple effect across the business landscape.
The knock-on effect of one data breach is astounding. Stolen information quickly finds its way to the Dark Web where fraudsters buy credit card details, email addresses and passwords at the click of a mouse, and a surge of fraudulent activity ensues.
Credit card numbers can be used to purchase goods online using an unsuspecting consumers’ details and further retailers are stung as the consumer eventually becomes aware of the fraudulent transaction and files a chargeback to recoup their money. Beyond that, the relationship between retailer and customer is severely damaged, sometimes beyond repair.
When stolen names and email addresses are purchased on the Dark Web, fraudsters are all set to go phishing. They can send a well-crafted and familiar email that appears to be from where the consumer does business. The email directs the consumer to a fake site, where the consumer enters their details and unwittingly grants the fraudster full access to their account. Again, the original breach impacts more retailers.
When it comes to leaked passwords, cyber criminals can not only takeover the consumer’s account on the original site that was breached but they are likely to also have access to the consumers’ other accounts. It’s a well-known fact that consumers tend to use the same password over a multiple of sites – in fact, a recent Signifyd consumer survey found that more than half of consumers use the same login information for multiple retailer accounts, which increases their vulnerability of account takeover.
Account takeover is difficult to detect and therefore one of the most malicious and fast-growing forms of fraud. When a fraudster takes control of a consumer’s account and goes on a shopping spree, it often looks completely legitimate.
Finally, criminals who have pilfered names and addresses are able to steal identities and open credit accounts with retail sites. This fraudulent activity is extremely difficult for retailers to detect as it simply appears to be a real customer in good standing who is then offered a credit line that he or she never has to pay back.
You may wonder how these hypothetical scenarios play out in the real world but Business Insider highlighted the scale of the issue when they reported that over 80% of people logging into retailers’ e-commerce sites are hackers using stolen information. So, what can retailers do?
Vigilance will help, of course. Whether it’s employing more people to review orders for fraud or by turning to technology to identify fraudulent activity. However, it’s not enough to review anti-fraud strategy and consider it job done. Hackers are becoming more sophisticated daily and anti-fraud measures therefore need to adapt and match the criminals’ pace. Retailers may think they’ve won the war against cyber fraud but really, it’s an ongoing battle.
It’s clear that data breaches have a widespread impact and retailers can’t rest on their laurels; they need to prioritise the constant improvement of fraud protection and view it as an investment for customer experience. Research by Signifyd found that consumers blame retailers for data breaches and fraudulent charges on their accounts, regardless of where the fault truly lies. Consumers are now more unforgiving and the old adage “the customer is always right” has never been more pertinent.
It’s up to retailers to better protect themselves and learn from others’ mistakes. It’s not just about protecting the data – which of course is essential – it’s also about understanding the ripple effect that data breaches have on the fraud threat facing every retailer, and how that threat affects consumer sentiment long after a breach has occurred.
By Stefan Nandzik, vice president of corporate communications at Signifyd