Protecting customer data should be a core duty of your brand

by Source Defense

A data breach can have significant financial, reputational, and legal implications for any retail or ecommerce business. But these often pale in comparison to the financial, professional, emotional, physical, and mental health ramifications for those customers whose personal data was stolen.

Every year, about 15,000 people contact the Identity Theft Resource Center for help responding to the mind-numbing effects of a data breach on their personal lives. According to the ITRC’s 2022 Consumer Impact Report, financial concerns are just the beginning of a harrowing litany of potential outcomes when a customer’s data is stolen. 

According to the National Council on Identity Theft Protection, there is a new victim every 22 seconds in the U.S. – that’s an enormous 1.5 million per year, that we know about – and the number of cases in the U.S. is nearly three times higher than in other countries.

Here’s a small sampling of what some customers have experienced due to a cybercriminal misusing their personal data stolen from ecommerce and other websites that collect sensitive data.

  • False income tax returns filed in their name
  • Hundreds of thousands of dollars in credit card debt
  • Warrants and arrests of victims due to crimes committed in their names
  • Social media accounts hijacked, leading to lost business and reputational damage
  • Feelings of anxiety, anger, depression, and suicidal thoughts
  • Problems sleeping, extreme stress, changes in eating habits, new addictive behaviors
  • Problems with family, friends, and employer

With those impacts, is it any wonder that a whopping 78% of consumers say that they’d shy away from a retailer that suffers a data breach?

How it Happens and Who’s Responsible

You may be familiar with the notions of protecting data in transit (as it traverses your network) and protecting data at rest (as it sits in your data storage systems). So are cybercriminals. They know that those pathways for data theft are hardened – so they’ve moved to stealing data and the point of input – literally skimming it out of the forms on your ecommerce site. As a result, the material cyber risk to your company starts long before your customer data hits your databases. In fact, your business is liable for the security and privacy of customer data before you even have a chance to leverage it for business purposes. 

That’s right. While you have likely invested in firewalls, intrusion detection systems, and encryption, your first line of defense now actually needs to be at the point of input. One of your greatest vulnerabilities is the web browser that your customer (who may be sitting thousands of miles away from your headquarters or server farm) uses to interact with and make purchases on your web site. The code that you allow to run in every customer shopping session – much of which comes from a large number of 3rd parties integrated into your site – is the weakest point in your security posture. 

The most recent cybercrime studies back this up. According to the Visa Biannual Threats Report, nearly 75% of fraud and data breach cases involved e-commerce merchants. Digital skimming attacks targeting e-commerce platforms and third-party code integrations are common. 

In May 2022, Visa’s Payment Fraud Disruption (PFD) identified a digital skimming campaign in which the threat actors exploited code integrations leveraged by the targeted merchants, such as marketing tools and tracking, that are enabled on the merchant checkout pages. In the incidents investigated by PFD, the third-party marketing tools and scripts were compromised by threat actors, and malicious JavaScript code was embedded into the otherwise legitimate code owned by the third party.

The third-party code, which contained a malicious JavaScript skimmer, was then integrated into the merchant checkout page, enabling the threat actors to harvest payment account data entered into the forms on the checkout page.

Protecting Data is Protecting the Customer – And Your Brand 

Organizations need to take this responsibility seriously, as more and more consumers are abandoning brands that have allowed data breaches to occur. 

“Consumers around the world are putting security front and center and leveraging their spending power to hold businesses accountable,” according to research conducted by the secure payments provider PCI Pal. According to PCI Pal’s recent survey:

  • In the US, 83% of consumers claim they will stop spending with a business for several months in the immediate aftermath of a security breach, and over a fifth (21%) of consumers claim they will never return to a business post-breach.
  • In the UK, 44% of consumers claim they will stop spending with a business for several months in the immediate aftermath of a security breach, and 41% of consumers claim they will never return to a business post-breach.
  • In Australia, 43% of consumers claim they will stop spending with a business for several months in the immediate aftermath of a security breach, and 43% of consumers claim they will never return to a business post-breach.
  • In Canada, 58% of consumers claim they will stop spending with a business for several months in the immediate aftermath of a security breach. One-fifth of consumers claim they will never return to a business post-breach.

“With the ongoing introduction of new data privacy regulations around the world, companies face significant fines in the event of a breach,” said James Barham, CEO at PCI Pal. “But our research shows they may face an even bigger financial consequence in the aftermath of a breach, with the loss of customer loyalty and trust.”

Source Defense is the pioneer in preventing digital skimming, Magecart, formjacking and other client-side security threats. We can help you get a handle on your risk, and take the risk off the table with an easy, cost-effective, no-hassle solution. 

For a free analysis of your ecommerce site, schedule a meeting with one of our experts today.

PCI DSS 4.0 makes client-side security a priority.

Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.

Scroll