Every time a shopper uses a credit card, debit card, digital wallet or other non-cash payment method – that’s some 80% of purchases, according to BankRate – they are entrusting retailers with vital personal data and making themselves vulnerable to cybercrime.
News recently broke that a gap in Adobe Commerce and Magento software resulted in the breach of customer data from over 4,000 online merchants – some 5% of their supported online stores. Ray-Ban, National Geographic, Cisco, Whirlpool, and Segway have already been victims of the so-called “CosmicSting” attack.
Other high-profile cyberattacks affecting retailers and putting their customer data at risk include VF Corp and its Timberland, Dickies, The North Face, Vans brands where 35.5 million customers’ data was stolen, Staples during its Cyber Week 2023 promotion and JD Sports impacting some 10 million customer records.
While these retailers have recovered from the attacks and put new security measures in place, their customer data is still out there, somewhere. And beyond retailers, AT&T recently lost data on 73 million current and former customers, Ticketmaster was breached with 560 million customer records stolen and Dell suffered a breach of 49 million records.
Overall, Verizon “2004 Data Breach Investigation Report” analyzed some 30,500 security incidents affecting retail businesses last year with 10,626 resulting in a data breach. And IBM estimates the average data breach costs a business nearly $5 million to recover.
However, the direct cost to consumers from having their personal information stolen is hard to assess as is their loss of trust in the retailer to continue their customer relationship.
At a time when VF needs all the customer support it can get – first quarter sales were down 9% after falling 10% last year – what previous customer can trust a company that was so sloppy protecting their personal data?
Consumers At Risk
A new survey from Consumer Reports, in association with Aspen Digital and Global Cyber Alliance, begins to quantify the dangers of cybercrime to consumers, but to my mind, it barely scratches the surface.
In the survey among 2,000 adult Americans, nearly half (46%) said they had personally encountered a cyberattack or a digital scam. Of those folks, some 19% report they lost money to a scam.
Or projected across the population, about one in ten Americans have paid a real price to cybercrime.
Email Vulnerability
The largest share of cyberattacks or scams begin through email, reported by 30% of victims, with phishing how most attacks begin. Phishing is where people are tricked into revealing personal information or to download a file or click a link so that bad actors can access one’s computer and accounts.
“Despite increased phishing awareness, the high rate of account takeovers indicates that recognition alone isn’t sufficient,” observed Chris Gibson, CEO, Forum of Incident Response and Security Teams (FIRST).
While we may be savvy to such direct phishing attempts, our personal data is still out there on the innumerable accounts held by retailers and other businesses.
“We tell people to close accounts they’re not using, because any account that is open is compromised if that company is hacked,” shared Yael Grauer of Consumer Reports who works on its cybersecurity team.
“Deleting unneeded accounts reduces the surface area of potential attacks, assuming that the company practices good data hygiene.” For that, we have to trust the retailers and other account holders.
Social Media Risk
Social media is a popular place where cybercriminals stalk their prey with 23% of victims surveyed reporting their cyberattack began there. And some 22% of the cybercrime victims said they had a social media account taken over.
The Electronic Privacy Information Center (EPIC) warns that since social media platforms make their money selling personal data about people’s activities, interests, political views, purchasing habits and online behavior to advertisers, it makes anyone engaged on a platform vulnerable to cybercrime.
“The massive stores of personal data that social media platforms collect and retain are vulnerable to hacking, scraping, and data breaches, particularly if platforms fail to institute critical security measures and access restrictions,” EPIC reports.
“Although social media companies typically publish privacy policies, these policies are wholly inadequate to protect users’ sensitive information,” it continues.
Some More Likely To Be Victimized Than Others
While scammers are equal opportunity criminals, a statistical analysis of the survey results revealed that ethnically diverse Americans were more likely to have lost money to a digital attack.
Among those victims, some 33% of Black Americans and 30% of Hispanic Americas lost money to a digital attack compared with 13% of White Americans.
Consumer Report’s Grauer said they were surprised by these results, so they asked Carla Sanchez-Adams, a senior attoney at the National Consumer Law Center, to look into it.
She found that White consumers are more likely to use credit cards to conduct transactions, which provide more legal protection against fraud. On the other hand, Black and Latino consumers conducted more transactions using crytocurrency or money orders, which provide little fraud protection.
“Rates of being unbanked and underbanked are much higher in Black and Latino households, which, as a result, often won’t have access to some of the safer payment methods,” she reported.
Regardless, Consumer Reports said the statistical difference between ethnic groups warrants further investigation.
“The disparities are so substantial that we’re calling for more research to understand why Black and Latino Americans are so much more likely to lose money from digital attacks or scams. Everyone should have the opportunity to be safe on the internet.”
We Don’t Know What We Don’t Know
Unfortunately the Consumer Reports survey stopped short of asking how much money people lost through cybercrime.
However, the Federal Bureau of Investigation puts the losses to individuals at $8.2 billion in 2023 based upon some 420,000 personal complaints received, as opposed to business losses.
This data comes from the FBI’s “Elder Fraud Report” on page 6, which includes cybercrime reports from victims of all ages, though such crimes against the elderly are the focus of the report. It details complaints from over 100,000 individuals over 60, totaling $3.4 billion lost.
However, while the elderly may be more prone to cybercrime, everyone is at risk. Those over 60 account for some 40% of personal cybercrime losses but less than 25% of complaints, leaving the vast majority of FBI complaints from younger people who account for about 60% of total personal losses; I did the math.
This may reflect a self-selecting sample where older folks are more willing to report such a crime. What digitally-native 20-29-year-old – from whom the FBI received 62,000 complaints last year totaling $361 million lost – wants to admit they’ve been scammed?
Then how many cybercrimes are ever reported to the FBI? An iceberg analogy comes immediately to mind. The Bureau of Justice Statistics (BJS) found that only 42% of violent crimes and 32% of household property crimes were reported to the police in 2022.
All of which leads me to believe that the FBI has virtually no grasp on the real extent of cybercrime and its cost to people like you or me.
And it is safe to assume that most consumers have little understanding of the real dangers they face every time they power up their computer, use their smartphone or even go to the store and make a purchase.
Not Just A Business Problem
The World Economic Forum puts the cost of cybercrime at a staggering $11.5 trillion globally in 2023, up from $8.4 trillion in 2022, a 36% increase. And it projects cybercrime to reach $23.8 trillion by 2027.
In our increasingly digitized world, it’s hardly hyperbolic to claim cybercrime is an existential threat – existential meaning “relating to existence.”
While we, perhaps naively, may trust businesses and governments to do the right thing, consumers need to be on guard and protect themselves too.
Protect Yourself
October is Cybersecurity Awareness Month, which calls attention to the growing problem and provides suggestions for how people can protect themselves, like using unique passwords on every account, using a password manager to generate hacker-proof passwords, and turning on two-factor authentication for all accounts that offer it.
We also need to be on guard for phishing attempts that can come to our personal and business accounts. Consumer Reports suggests people visit pausetake9.org that encourages people to take a nine-second pause before they click, download or share a link.
And Consumer Reports offers a free “Security Planner” that provides a 360-degree assessment of one’s vulnerabilities across their devices and provides easy-to-implement steps to correct them.
Business Need To Do More
For businesses, the National Retail Federation is taking proactive steps to help retailers protect their and their customers’ data through industry conferences, working groups and collaborations across government agencies and businesses.
And retailers should investigate the added protection that digital passkeys provide their customers, rather than passwords, according to the Global Cyber Alliance. A passkey is a unique cryptographic key paired to a device that is unlocked through a biometric sensor, PIN, or QR code.
For example, Amazon allows users to secure their Amazon account or shopping app via a passkey, which takes personal security to a whole new level beyond a password and two-step verification.
However, the FIDO Alliance, an industry association that advocates for the adoption of passkey authentication with over 250 industry leading members including Amazon, reports that only 20% of the world’s top 100 websites and some 12% of the top 250 support passkeys.
“The good news is that we are seeing some improvement in the adoption rate of improved security mechanisms like passkeys,” said Global Cyber Alliance’s chief business officer Komal Bazaz Smith. “The bad news is that improvement is slow, and not keeping pace with attackers.”
She uses an analogy drawn from the car industry to explain a retailers’ responsibility to protect their customers’ data. The car driver has the responsibility to drive safely, while the car manufacturer has the responsibility to make the car as safe as possible once the driver turns the key.
“The only long-term solution is to remove most of the burden from consumers by providing services and software that are secure by design,” she concluded.
Read the full article here