Skip to content

The catastrophe of a customer data breach



Join our mailing list

Signifyd regularly publishes free reports packed with business insights, commerce trends and data from our massive Commerce Network. We’ll only email when we have something meaningful to share, no more than once per week. And of course you can unsubscribe any time.

An increase in attacks

It seems to happen so often these days that unless we are personally affected we don’t even blink an eye. Company wide data breaches happen when hackers steal personal customer information, and the disaster can alienate customers in the best of circumstances and destroy a company in the worst. Most of us have heard of the larger profile breaches, making nationwide news with each occurrence. But for a small business working hard to gain valuable customers one by one, the loss of customer information to online thieves can be devastating. A recent infographic by Bank of America, outlines the increase in attacks against small businesses.

Large companies who have suffered attacks

With a large subscriber base, the PlayStation Network breach of 2011 gave cybercriminals access to over 77 million accounts. Forcing Sony to shut down their premium service for 24 days, the resultant breach became the cause of multiple lawsuits, government investigations and a voluntary compensation to their customer base that cost them millions. According to Sony’s own sources, over 12.3 million of their 77 million accounts had credit cards linked to them, with 5.6 million of those accounts residing in the U.S. For cyber thieves, it’s a treasure trove of information.

TJX is the parent company for many popular consumer brands such as T.J. Max and Marshalls, so when TJX announced in early 2007 that they had become the victim of hackers it was no surprise that the amount of information stolen was massive. With 45.7 million customers affected, the illegal breach gave thieves social security numbers, driver’s licenses’ and all forms of different financial information ranging from credit and debit cards to check numbers.

Many smaller businesses assume that they are not at risk, believing that their small size and relative lack of conspicuous popularity makes them less vulnerable to attack. This is not completely accurate, with the recently released 2013 Verizon Data Breach Investigations Report stating that smaller organizations tend towards complacency, believing that attacks only target government, military and high profile organizations. This leaves them vulnerable to easily preventable attacks.

What do the attackers do with data stolen from these breaches?

The attackers typically resell the user information and credit card data before the accounts are shut down. They run online marketplaces for stolen information similar to eBay or Amazon where reputations drive sales. According to MSU Today:

Thieves sell data and money laundering services, advertised via web forums, and send and receive payments electronically or through an intermediary. They even provide feedback on transactions to help weed out sellers who cannot be trusted to deliver the illegal goods.

A typical marketplace for stolen information has ranges of account types that varies dramatically, ranging anywhere from $2 to $90 per card depending on  the quantity of information that comes with it. This information can then lead to various types of fraud from Account Takeovers to Credit Card fraud.

How do I prevent an attack?

While there is no ‘cure all’ in the cat and mouse game of online security versus criminal hackers, according to Symantec, there are a few things small online merchants can do to prevent a breach. In addition to that, it is highly recommended that small businesses not store credit card information about their customers within their own databases. Not only does this open you up to stolen card information when a breach occurs, but it also increases your costs due to PCI compliance. Third party payment providers like Stripe and Braintree exist to handle your card information, so let them handle it for you.

When an attack hits, what should I do?

There are several steps to minimize the damage in the case that your company suffers a loss of customer information. Experian has a great article that outlines the process.

How do fraud solution providers help small businesses in the case of a data breach?

A data breach anywhere in the world has a direct impact on Small Businesses. Fraudsters like to use the stolen information to monetize as quickly as possible, and who better than a bunch of small businesses who aren’t prepared or expecting this onslaught. So, although top fraud prevention companies like Signifyd cannot assist with protecting against data breaches, they can help web merchants ensure that if a data breach occurs, they would be protected against those stolen cards being used to purchase items from their business. This would happen in 2 ways:

  • Account Takeover: An account takeover is defined as when a criminal takes the personal information of a customer and logs in as that individual and subsequently either steals information, makes purchases or withdraws money. Fraud solutions like Signifyd can detect if the ‘customer’ is using an IP address not consistent with the normal customer. If the criminal is using a computer with a device fingerprint that is known to be bad, Signifyd can detect that as well. Changes in a customer’s profile such as ship to addresses or names are easily trackable too.
  • Stolen Credit Cards: Signifyd processes millions of transactions through it’s system daily and knows which ones are good or bad. If a fraudster tries to use one of the stolen cards at Company X, then if they return to use the same card at Company Y, Signifyd can decline that user from any purchasing activity.

In short, fraud solution providers like Signifyd can prevent any stolen customer information during the breach from being used fraudulently against you.

Final thoughts

Ending a crisis as quickly as possible is as important as preventing it in the first place. While Signifyd can’t stop a criminal from hacking your site, we can ensure that for those foolish enough to use stolen customer information, we can bring about a swift and business saving resolution. If your business is concerned about what to do in a data breach event, or if you simply have a question about fraud in general please reach out to us at [email protected] or at [email protected] . Thanks for reading!

Signifyd

Signifyd

Signifyd provides an end-to-end Commerce Protection Platform that leverages its Commerce Network to maximize conversion, automate customer experience and eliminate fraud and customer abuse for retailers.