As we work our way towards the holiday season, consumers around the world will increasingly be visiting online retailers in preparation for a frenzy of purchasing activity. However, are these retailers doing everything that they can to protect the data that they gather from these consumers?
Although many of these enterprises (Amazon, Alibaba for example) have made great strides in protecting privacy it is still apparent that many do not boast an exemplary track record as data custodians.
Vigilance (and systems) pay dividends for Alibaba
If we look back at the history of the world’s most popular online retailers, the tale of attempted hacking and in some instances successful data breach is a grim one. In February of 2016 Chinese hackers attempted to gain access to over 20 million active accounts on the Alibaba Group Holding Ltd’s Taobao e-commerce website using Alibaba’s own cloud computing service.1
The announcement that this hacking had occurred caused a 3.7 percent drop in the Alibaba share price. Alibaba security protocols foiled the attempt – but without a rigorous and continually refined approach to security the outcome could have been very different.
The hackers used a stolen database of over 99 million usernames and passwords from other websites and then used those to access Alibaba’s cloud computing platform to input the details into Taobao. Of the 99 million usernames, they found 20.59 million were also being used for Taobao accounts. The hackers started inputting the details into Taobao in mid-October and were discovered in November, at which time Alibaba immediately reported the case to police, and the hackers were nabbed.
Alibaba said that their servers and systems dealt with the hacking attack with no resultant issues. That’s arguable seeing as some accounts were reportedly compromised and fake orders using hacked data were placed. The company did warn Taobao users against password sharing between domains, and encouraged password changes.
That’s one instance where the story ends happily, at least for Alibaba, if not all of their customers – and neither online retailers nor customers have always gotten away with a bare minimum of damage.
Data remains under hacking threat
A 2015 report by IDG outlines just some of the online retail organisation’s which have not been lucky enough (or vigilant enough) to escape the ever more sophisticated attentions of hackers.2
Online holiday shopping provides hackers with a bonanza of opportunities for data theft.
At the end of January 2016, top tier retailer Neiman Marcus reported a data breach that affected 5,200 customers.
The company noted that on or around December 26, 2015, hackers used usernames and passwords that were previously compromised elsewhere to make guess attempts on the Neiman Marcus, Bergdorf Goodman, Last Call, and CUSP websites. They were able to access 5,200 accounts and use 70 of those accounts to make fraudulent purchases.
The account data, including customer names, saved addresses and contact information (email or phone), the last four digits of the account’s credit card number, and purchase history were also exposed.
It’s not only the holiday season that exposes well-known retailers to the effects of hackers, although increased activity during the high period certainly makes data more attractive in the months that follow. In February of 2016, 83,000 customers were affected when hackers accessed two cloud providers used by Gyft Inc. The hackers were then able to view or download user information stored on the servers, including Gyft card numbers, names, addresses, date of birth, phone number and email address. In addition, those who used Gyft between March 19 and December 4, 2015, might have had their login credentials compromised as well.
Those considering their vacation plans during the 2016 holiday season might also be concerned about online credit payments for high season accommodation.
In January 2016, Hyatt Hotels disclosed a data breach impacting payment card data at 250 hotels across 50 countries during the period when consumers are active in booking and paying for high season activities. An internal investigation determined that “payment card data from cards used onsite at certain Hyatt-managed locations, between August 13, 2015 and December 8, 2015.”2
Hyatt Hotels stated that “A small percentage of the at-risk cards were used at spas, golf shops, parking, and a limited number of front desks, or provided to a sales office during this time period.
Is the hacking problem getting worse?
Given the above, is the hacking problem limited to holiday season buying? The answer is almost certainly not – however this is a time of year when many online retailers will certainly see a spike in online buying activity, and hackers are well aware that there is an increased amount of data there for the taking. However, the activity, once triggered becomes pervasive – and ongoing.
An IDG news report in mid-October 2016 indicates that the hacking challenges faced by online retailers may be getting worse.
The report notes that around 6,000 online shops have been compromised by hackers who added specially crafted code that intercepts and steals payment card details, a process that started around 12 months ago.3
What’s next for online retailers?
In an age of ubiquitous online purchasing activity, retailers need to be aware that increased vigilance and state of the art systems combined with highly skilled professional employees are the first lines of defence in ongoing efforts to protect data.
In part 2, we take a closer look at the steps that retailers are taking to protect data – and how those steps have been influenced by an increasingly stringent approach by authorities who are today willing to penalise enterprises for a lax privacy and protection approach.