As I was starting to write this blog, yet another retail program data breach occurred, for Marriott’s Starwood loyalty program. In this case, it looks as though the attackers had been on the Starwood network for somewhere around three years, mining out their reservations database (keep in mind that Marriott only acquired Starwood in 2016). Since in Tech we often travel “for a living”, I found in my bag an older Starwood preferred guest card. Not used in years. But it looks like my own personal data has been breached – again.
What I’d originally planned to write about was a topic that directly applies – why retailers of all stripes are not investing in data security. We had some results this year from the 100+ US retail IT security professionals that were surveyed for the 2018 Thales Data Threat Report that differed from every other segment we polled (healthcare, federal government, financial services). To make a long story short – the top reason that they didn’t invest in data security was “lack of perceived need” at 52%.
In other segments there were lots of legacy concerns that don’t apply to modern data security solutions (like those from Thales). These include concerns about complexity, possible impacts on performance, lack of resources to manage, and lack of budget (if it’s complex, and takes lots of resources, then sure it’s probably expensive). I’ve noted those as “legacy” concerns as modern data security solutions can be much less complex than in the past (take a look at our Vormetric Transparent Encryption solution, which offers strong protection with minimal impacts on applications, operations and systems). They typically use hardware encryption built into today’s CPUs for minimal overhead and are available on platforms so that resource loadings are minimal even as you add more solutions to secure data in new applications and environments as your needs grow.
But none of these reasons rose to the top in retail. “Lack of perceived need” was the number one reason they didn’t deploy.
This “lack of perceived need” response comes against a backdrop of lamentable results around breaches for retail also highlighted in the results: 75% had a data breach (ever), 50% had a data breach in the last year, and 26% had a breach both this year and in the past (half of those breached this year!).
This had me asking a simple question – Why?
- Doing the math perhaps? Has someone been doing the math, and decided it was cheaper to take the hit of a nearly certain data breach rather than reduce their attack surfaces and increase their vigilance on internal data stores and networks, as well as cloud-based environments? Are they just convinced it won’t happen on their watch (also referred to as “visiting de Nile” at my house)? It’s true that prices for basic remediation (offering customers a year or two of free credit reporting) seem to be falling. Since that plus notifications are the only consequences in most cases, it is certainly a possibility.
- Not worried about customer churn? Is it that too many retailers have looked around at other retailers with recent breaches, and noticed no shortage of customers? When the Target and Home Depot breaches happened there was a sizeable hit for several quarters if I recall the financial results – perhaps that’s no longer a the case.
Whatever the reason, it’s an appalling attitude.
Which brings us back to our title: “Retail loyalty programs – it’s time to think twice”. Are you really going to allow an organization to put an app on your phone, and a backend big data analytics set or database with lots of personal information about your preferences, personal history, addresses, credit/debit cards and more when they won’t take seriously the protection of your information? My answer is “No”.
As a result I’ve become picky. Retailers need to pretend that I’m from Missouri and “show me” they are serious about data security before I’m ready to let them that far into my life.
You should consider it too.
It’s just a waiting game. Once enough of your personal information has been breached, it’s only a matter of time before someone decides your name and identity are ideal next targets. That makes a cavalier attitude about data security much less forgivable.
For more information about optimal data security solutions for retailers, please visit Thales eSecurity’s dedicated landing page.