The number of retail businesses reporting data breaches to the data protection regulator has doubled in just one year. Such reports to the Information Commissioner’s Office (ICO) went from 19 in 2015/16 to 38 in 2016/17, says City-based law firm, RPC.
The firm says that the risks involved in data breaches are increasing in retail, as retailers accumulate more and more personal information on their customers as part of their ‘Big Data’ efforts. The rise of online shopping, loyalty card schemes, digital marketing and offering electronic receipts in store mean that even a small multiple retailer will be gathering exactly the kind of data that hackers will be looking for. RPC adds that the retail industry is beginning to feel the pressure to invest more in cyber-security.
The regulation and financial risks involved in a data breach will increase substantially the law firm adds when the General Data Protection Regulation (GDPR) comes into force in May 2018. These rules will make reporting breaches mandatory.
Jeremy Drew, Partner at RPC, says: “Retailers are a goldmine of personal data but their high profile nature and sometimes aging complex systems make them a popular target for hackers. There are so many competing pressures on a retailer’s costs at the moment – NMW rises, rates increases, exchange rate falls, as well as trying to keep ahead of technology improvements – that a proper overhaul of cyber defences can get pushed onto the back burner.”
RPC points out that, as companies are not required to report every attack they suffer, the actual number of data breaches in the retail sector is likely to be even higher.
Jeremy Drew adds: “As the GDPR threatens a massive increase in fines for companies that fail to deal with data security, we do expect investment to increase both in stopping breaches occurring in the first place and ensuring that if they do happen they are found quickly and contained. No UK retailer wants to be in the position of some public examples who were forced to confirm that it took them nearly a year to close a data security breach.”
Comment
Ryan Wilk, vice president at NuData Security, a security software company, said: “In today’s online, big-data driven economy, retailers have never been privy to so much sensitive customer information. Even things that might seem relatively benign on the surface can be used for malicious purposes, or can be used in social engineering or phishing tactics in order to gain more dangerous information. For this reason, all organisations need to make the protection of customer data a propriety, and need to move past the password authentication model and embrace a model that engages with passive biometric solutions, which provide customers data with extra layers of protection, without creating any excess customer friction.”
