Data breach alert: Small retailers are especially vulnerable

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.consumerreports.org/cro/news/2014/05/data-breach-alert-small-retailers-are-especially-vulnerable/index.htm

If you’re more worried about becoming a victim of a data breach at a big
national retail chain than in your local mom-and-pop store, think again.

More than half of the small businesses surveyed by the Ponemon Institute in
2013 had experienced a data breach, while only one third had notified
consumers that their personal information had been exposed. In the early
months of 2014, a number of small retailers suffered data breaches. Some
examples:

- In March, police in Fairmont, Minn., received more than 200 reports of
credit and debit card fraud following the hacking of a computer in the
local El Agave Mexican Restaurant.
- The same month, Uncle Giuseppe’s Marketplace, a small Long Island-based
grocery store chain,announced that its credit card database system at three
stores had been breached by computer hackers outside the U.S., affecting
customers who had shopped there in January and February.
- In April, a local resident in Salem, Ore., discovered 98 employment
applications, loaded with personal information such as social security
numbers and dates of birth, in a dumpster outside a Little Caesars Pizza
store.

The retailers who were hacked weren’t high-profile targets for hackers.
They are typically discovered by cyber thieves’ robots that scan the
Internet night and day for websites with vulnerabilities, according to
Robert Hansen, Vice President of WhiteHat Labs at WhiteHat Security, who
has worked on investigations of breaches for many small businesses. And
such vulnerabilites are all too common.

“Small businesses tend to not patch critical software,” Hansen said, “They
can’t afford the expense of fixing things in the right way.” To a small
business, he adds, security is often more something that gets in the way
than something that gets done.

A 2012 survey of 500 small businesses by The Hartford supports Hansen’s
observation. Eighty-five percent of the business owners surveyed said they
believed a data breach was unlikely and many indicated that they weren’t
implementing even simple security measures to protect their customer data.
For example, only about half said they shredded and securely disposed of
customer, patient, or employee data.

To handle security well, small business owners should update systems and
software regularly, use secure passwords and data encryption, and secure
sensitive data. Most important, according to Hansen, they must learn to
take security more seriously. “If you care, you’ll do the right thing,” he
said.

What you can do

You can’t force a small business to tighten its security. But you can give
its owner a wake-up call by asking for a document showing that the business
has undergone a security assessment by a third-party. Most probably won’t
be able to provide one, but any business that has done so should.

You can also keep your checking account from being siphoned in the event of
a data breach by shopping with a credit card instead of a debit card. Limit
the personal information you share with any business to just the minimum
required to complete the transaction. And don’t disclose your home address
or telephone number unless absolutely necessary.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!