Identity theft is the number one crime in America, a crime that claims an average of more than a million new victims every 30 days. And many of those victims are as a result of businesses that leak their customer information, usually by accident, and often through their website.
A data breach can be a very costly event, and an increasing number of these breaches are happening at smaller firms. If you’re lucky, very lucky, your customers won’t be directly affected. Like the small law firm in Charlotte, North Carolina, who in early February announced that every single legal file it ever possessed – thousands of them – were now useless because of a security breach. Seems like a nasty piece of malware that had managed to get past security encrypted all the documents so that they were no longer accessible.
And while that might affect some of the firm’s clients indirectly, it shouldn’t impact their identities because the information was not actually stolen by the hackers. If personal information is stolen, however, the impact can be severe.
Earlier this month, a firm called Javelin Strategy and Research released its annual Identity Theft Fraud Report. The report is one of the most trusted barometers of the state of identity theft, and not surprisingly the news wasn’t very good.
Here’s just a sample:
- There were an estimated 13.1 million victims of identity theft in 2013, which works out to around one new victim every two seconds.
- While the actual amount of money stolen from victims went down slightly, it was still a massive $18 billion.
- On the other hand, account takeovers went up. Account takeovers are where thieves get control of existing accounts, from phone and utility to credit card and bank accounts, and can cause serious damage and inconvenience.
But what was most troubling was that one in three consumers who were notified that their personal information was exposed in a breach in 2013, ended up falling victim to identity theft. Which probably means their personal information ended up in the hands of crooks as a result of the failures of businesses of all sizes to protect that information.
And if you assume that because you don’t ask for Social Security Numbers or don’t store credit card numbers you’re off the hook, I have bad news for you. Personal information like a name, address and especially an email address, are of enormous value to crooks of all types. Hackers who get email addresses will often launch phishing attacks, sending out fake emails pretending to be the breached company or a law firm representing a class-action lawsuit. We saw so much of this after the Target breach, Target was warning consumers to ignore all emails and instead go directly to their website for info.
In the Target breach, where an estimated 110 million customer records were exposed, nearly two-thirds of the records included names, addresses and email addresses, and not credit card numbers. So if your business collects or stores any kind of customer information, even just an email address, you have to guard it like it was your child.
So what can you do to minimize the risks?
- If you don’t already have a data protection plan, get one. It’s simply a set of security rules and guidelines to protect sensitive data and it can often be your best security tool.
- Focus on protecting customer information, and especially controlling who has access to it. A simple mistake by a careless or busy employee is all it takes.
- Keep data collection to a minimum. If you don’t need it, don’t ask for it.
- If you collect customer email addresses, perhaps for a newsletter or to follow up on orders or inquiries, make sure that list is locked down tight and the password changed often.
And as usual, make sure your website is not vulnerable to a compromise that could allow hackers to either get at the places you store your information or simply collect it as it passes through your website. Vulnerability scanning will find any weak spots or potential entry points that exist already, and a web application firewall will ensure that your website stays safe for your visitors. To learn how to put these solutions in place contact SiteLock at 855.378.6200.