The real costs of eCommerce data breaches, espionage, and security mismanagement

eCommerce
May 13, 2021

This blog was first published on the BigCommerce website.

From leaked trade secrets to disclosed customer addresses, a data breach can quickly transform into a crisis.

Within the past decade, cyber-attacks happen more often than companies would like.

In 2013, retail giant Target had more than 110 million of its customers' credit cards and contact information compromised. This breach led to the resignation of its chief executive officer (CEO) and chief information officer the following year.

In another data breach incident, Adobe reported that attackers accessed the IDs and encrypted passwords for 38 million of its active users. An investigation also found that hackers stole the source code for several of its products, including Photoshop.

And in yet another data breach incident, Verizon had 53,000 incidents and 2,216 confirmed data breaches resulting in more than 43,000 successful accesses via stolen credentials in 2018.

Data breaches can endanger an eCommerce business in multiple ways.

  1. There are the financial costs of hiring security specialists and engineers to seal the breach.
  2. With consumer trust in jeopardy, customers may decide to flee to a competitive alternative.
  3. A breach also brings unfavorable press coverage, damaging a company's brand reputation.

To minimize the cost of a data breach, businesses must invest in infrastructure that protects its data.

The Data at Risk

Some of the most important transactions happen online. And while a more connected world makes business easier, it also poses a greater risk of proprietary and consumer data theft.

From 2015 to 2017, the most active attack groups compromised an average of 42 organizations.

The motivation behind each data breach varies, but research shows that intelligence gathering influences 90% of attack groups.

Hackers Can Use Stolen Information to Interfere with Business Operations.

Hackers may take down websites and start disinformation campaigns against companies.

It's common for hackers to sell internal business plans, forecasts, and market analyses to competitors, too.

Hackers Might Steal Data for The Purpose of Extortion.

Hackers feed on an organization's fear of losing valuable data forever. However, there are no guarantees when giving into an attack group's demands.

Despite 45% of American companies paying their hackers during a ransomware attack, only 26% of those businesses had their files unlocked.

Consumer Data Is a Primary Target During Data Breaches.

Hackers steal personally identifiable information, like names, addresses, phone numbers, and Social Security numbers to commit identity theft.

Attack groups also steal less common information, such as customers' favorite sports teams, pet names, dream vacation spots, and places of birth to gain access to financial accounts.

In 2017, identity theft accounted for 69% of all data breach incidents, followed by financial access (16%). Furthermore, malicious outsiders were the leading source of data breaches, resulting in 1,269 incidents.

Hackers Leverage This Information for Financial Gain on The Dark Web.

On an eBay-like marketplace, they post listings of the stolen data and sell it to the highest bidder.

Listings can range in price from less than $1 to about $450.

Twenty dollars is the average price for someone's identity.

The same stolen information has been known to be sold many times to different bad actors.

Data breaches give hackers free reign to harm eCommerce businesses and their customers.

Data security is a must-have for companies concerned with protecting their data.

The Costs of a Data Breach

Companies are responsible for collecting, storing, and transmitting private information from consumers. Therefore, they bear the burden of the consequences during a breach.

In the wake of recent data breaches, senior executives are observing the need to increase their security standards. Today's hacker is using sophisticated techniques to exploit company data.

The Magento Core malware attack hijacked 50 to 60 new stores per day in two weeks.

This card skimming operation compromised 7,339 Magento-based online stores, allowing the attackers to swipe payment card information as it was being entered by customers.

Data breaches result in more than financial costs—stock declines and litigation fees.

A breach also means a decrease in consumer trustworthiness and a negative reputation in the news cycle.

With so much at stake, eCommerce businesses must heed the warning and take action to secure their data.

Financial Impact

The financial impact of data breaches continues to grow as new ones emerge.

While the initial costs include fixing the breach, other expenses like litigation affect how much money eCommerce businesses must devote to breaches in their budgets.

Juniper Research estimates that the cost of data breaches will increase to $2.1 trillion globally by 2019. And as more business infrastructure gets connected, the average cost of a data breach will exceed $150 million by 2020.

The financial health of an eCommerce business is at risk.

A Centrify report found a direct correlation between a data breach and stock decline. In the study, a company's share price index declines soon after a material data breach event becomes public knowledge.

It also takes about 45 days following the event for the index value to reach full recovery.

With consumer data being compromised, data breaches have sparked class-action lawsuits and government regulation.

Target paid an $18.5 million multistate settlement to resolve state investigations of a 2013 cyber attack.

The retailer had to provide consumers with free credit monitoring services and agreed to pay up to $10,000 to consumers with evidence they suffered losses from the data breach.

There's a consistent relationship between the cost and size of the data breach, too.

An IBM study revealed that the more records lost, the higher the cost of the data breach. For 2018, the cost ranged from $2.1 million for incidents with less than 10,000 compromised records to $5.7 million for incidents with more than 50,000 compromised records.

The faster a data breach is identified and contained, the lower the costs.

The report also uncovered that the meantime to identify a breach was 197 days, and the meantime to contain was 69 days. In addition, companies that identified a breach in less than 100 days saved more than $1 million as compared to those that took more than 100 days.

The financial fallout from a breach differs for each eCommerce business. How leadership handles the situation can determine the extent of the costs.

Consumer Trust Impact

Trust plays an integral role in whether consumers make purchases from a specific business. Data breaches become a roadblock in this relationship-building journey.

Consumers share sensitive data with businesses frequently. They add personal details into their store accounts and enter credit card information at checkout. Consumers maintain high expectations for businesses to secure their data.

As a result, when a data breach occurs, consumers tend to second guess the amount of trust they have placed in a business.

That lack of trust increases when companies mishandle the breach—providing no transparency or communicating poorly about the incident.

According to a Syncsort white paper, customers with compromised credit card data because of a data breach become reluctant to do business with the same company. The severance of the relationship means a potential loss of customer lifetime value for the eCommerce business.

This hesitation derives from the aftermath that directly affects the consumer.

A data breach leads to several unwanted consequences for the consumer.

They may have to deal with identity theft, temporary account cancellations, and fraudulent credit card activity.

Based on a consumer sentiment report, stress had the biggest impact on consumers after a data breach. Time spent resolving problems caused by the incident follows their constant anxiety.

Though devastating, a data breach creates an opportunity to earn a customer's trust again.

What matters most is how eCommerce businesses contain and communicate the breach. With the right infrastructure in place, data security can exceed consumers' expectations.

Brand Reputation Impact

Brand reputation is a valuable asset that companies spend millions of dollars and countless hours building. With a single data breach, that prestige can tumble into ruins.

A data breach is one of the top three negative effects on brand reputation. Both information technology (IT) security professionals and chief marketing officers (CMO) believe a data breach can have a negative impact on brand reputation, even outranking the potential impact of a scandal involving the CEO.

While news stations announce the latest breach daily to consumers, the impact still wreaks havoc on brands.

Breaches damage integrity and put a brand's business practices into question. It takes millions of dollars coupled with several months to restore the brand's reputation to what it once was.

In 2014, Sony experienced a data breach, leaking employee Social Security numbers, sensitive movie contracts, and conflict among top executives. The breach weakened consumers' trust and jeopardized sales of the brand's products.

Specifically, the damage threatened the launch of Sony's promising Internet TV service. A customer loyalty survey also showed the company had fallen to eighth place from the third spot.

The greatest loss for Sony was in the most important loyalty driver—brand reputation and reliability. That means primarily reliability about the product, but also about the brand's reliability.

Robert Passikoff, Founder of Brand Keys Inc. explains the significance of the Sony breach

 

This is a wake-up call for eCommerce businesses assuming they can easily rebound from a data breach.

Breaches must continue to be a company-wide initiative inviting input from all departments. IT and marketing professionals also need the full support of the C-suite to combat them.

It's important for companies to emphasize security as a major part of their brand story. With the implementation of the most up-to-date security measures, eCommerce businesses can fare well with investors and consumers.

Data Security

Ecommerce businesses can mitigate the aftermath of a data breach by proactively implementing security standards. Effective protection against security threats includes multi-layered defenses.

Many eCommerce businesses rely on vendors to support hosting, data storage, point of sale maintenance, and payment processing needs.

These third-party providers add complexity to the data security strategy, though they play a pivotal role in mitigating risks.

Businesses should vet all providers for compliance and security before agreeing to use their services. To effectively protect data, vendors must:

  1. Employ data redundancy.
  2. Adhere to the Payment Card Industry Data Security Standard (PCI DSS) 3.2 protocols.
  3. Maintain a comprehensive Distributed Denial of Service (DDOS) mitigation plan.

These prerequisites aim to improve how an organization safeguards internal and customer data, in return reducing churn and the costs of the breach.

The risks of data breaches will continue to increase. For companies to defend their sensitive data, they need to take a collaborative approach to data security with their vendors.

Data Redundancy

Ecommerce businesses need data redundancy to minimize disruption in their operations. With website hosting services, full redundancy is a critical factor to withstand data breaches.

During breaches, hackers can deny teams access to their data. They can shut down websites and take control of data for extended periods of time.

This outcome can cause serious problems and interrupt business services—leading to a decrease in revenue.

Data redundancy works to secure data.

Developers consider it acceptable to store data in multiple places.

The key is to have a central, master field or space for data. That way, teams can update all their data accurately from one central access point.

Redundancy is more than just data storage.

It focuses on the ability to provide a continuity of service, no matter when a data breach happens.

According to the National Archives and Records Administration, 93% of all companies that lose access to their data center for 10 days or more ultimately go bankrupt within one year.

According to the National Archives and Records Administration, 93% of all companies that lose access to their data center for 10 days or more ultimately go bankrupt within one year.

The importance of data redundancy cannot be stated enough, especially in today's technology-oriented business environment. When you include data redundancy in your contingency plan, you are protecting your business in the long term and setting a base on which it can grow while keeping risks low. Considering the costs of downtime, the costs of implementing redundancy are minimal.

Paul Cook, a contributing writer at Empresa-journal, explains why data redundancy matters

 

For eCommerce businesses, data redundancy is not optional. It's an essential element all hosting providers should offer.

PCI Compliance

Many eCommerce security issues arise from hackers gaining access to credit card information. To combat this challenge, businesses must ensure their web hosting complies with PCI standards.

PCI compliance governs the minimum requirements for securing customers' payment data. The guidelines include maintaining a firewall, protecting any stored cardholder data, restricting access to data, and regularly testing security processes.

Compliance also ensures that an incident response plan exists in the event of a breach.

Retailer Macy's experienced a data breach affecting its online customers who became victims of data theft, including their credit card numbers. The company blocked user profiles with suspicious login activity and requested customers change their passwords immediately.

Failing to comply makes businesses vulnerable to cyberattacks.

In 2011, 96% of the merchants experiencing a data breach had not adhered to PCI.

Although PCI is not a law, banks do penalize non-compliant merchants.

Fines can range anywhere from $5,000 to $100,000 every month until a resolution is found.

Technology is developing so fast that there is a growing number of fraud activities…That's why every merchant or payment service provider with card payment solutions must be PCI compliant. Doing business should be based on trust (between merchants and customers) and PCI compliance helps improve the level of security.

SANDRA WRÓBEL-KONIOR OF SECURIONPAY EMPHASIZES THE IMPORTANCE OF PCI COMPLIANCE

 

Achieving PCI compliance is a resource-intensive and costly endeavor for most businesses.

Using a hosted ecommerce solution enables companies to save resources on compliance activities.

With minimal effort from the online retailer, the PCI experts at the service provider can manage compliance.

It's also prudent to ask hosted eCommerce platforms how they train their employees to handle data security. Their staff should undergo annual training to remain knowledgeable about the latest standards.

PCI compliance decreases the risk of data breaches. Less risk means eCommerce businesses can maintain their brand reputation and limit their financial liabilities.

DDoS Mitigation

DDoS attacks are an ongoing threat for eCommerce businesses. Without a mitigation plan, companies make their data susceptible to hackers.

During a DDoS attack, servers get overwhelmed with requests from hundreds or thousands of compromised IP addresses.

A single system can handle only so much CPU processing power and network traffic. Therefore, flooded with too many requests, the servers shut down.

This effect results in significant website and network outages. For an eCommerce store, an attack makes it extremely difficult for customers to shop, if at all.

According to a Kaspersky Lab report, 33% of businesses experienced a DDoS attack in 2017, up from just 17% in 2016.

The organizations hit by DDoS attacks reported a significant decrease in the performance of services and a failure of transactions and processes in affected services.

In 2015, GitHub was the target of a DDoS attack. The hackers seized a distributed memory system to massively amplify the traffic volumes.

This breach resulted in GitHub being offline for five minutes.

Attacks are becoming more challenging to mitigate now than in the past. “Enterprises must be knowledgeable and prepared with mitigation techniques as the attacks continue to evolve,” writes Lawrence Orans, a research vice president at Gartner, Inc.

Without specialized knowledge, DDoS attacks are hard to mitigate. If a business self-hosts with an on-premise web server, they will need help from a third-party DDoS specialist.

Another solution is to invest in a hosted eCommerce platform that offers DDoS protection. Their services should sustain high-bandwidth attacks, reaching hundreds of Gbps.

Website hosting providers also should have a low time-to-mitigate record; the shorter the delay, the more likely the attack is to fail.

In addition, it's vital that businesses are transparent with their customers during a DDoS attack. Disclosing the latest updates reassures customers and maintains consumer trust.

The complexity of DDoS attacks will mature over time. To resist attacks, eCommerce businesses should adopt a comprehensive DDoS mitigation plan.

Conclusion

Data breaches are shaping how eCommerce businesses protect their data.

Threatened by the potential risks, senior leaders acknowledge the need for immediate action and the review of their security measures.

The impact of a data breach expands beyond the theft of internal records into privacy concerns for consumer data.

The large financial costs and negative public sentiment also trail businesses after a data crisis strikes.

When possible, build your site on a great SaaS platform like BigCommerce so you don't have to stress about security issues. If you must build on open source, find the best possible host and a very conscientious agency partner who is quick to respond to issues.

GENE FERRITER, THE SOLUTION SPECIALIST AT THE PLUM TREE GROUP, OFFERS THIS ADVICE FOR AVOIDING COSTLY DATA BREACHES.

 

As data breaches continue to happen, companies must take proactive steps to mitigate the risk for their teams and customers. From data redundancy to DDoS mitigation, eCommerce businesses have opportunities to secure their data.

How can we help you amp up your cyber-security?

Get in touch