Articles and News
Yes! Independent Jewelers Are Vulnerable To Customer Data Breaches | September 17, 2014 (0 comments)
New York, NY—Massive data breaches on the scale of what happened to Target, Neiman Marcus, Home Depot, and other major retailers make national headlines, but any retailer—including independent jewelers—is vulnerable to having customer data stolen.
Last week, six employees of Saks Fifth Avenue’s flagship Manhattan location were arrested for using customers’ stolen credit card data to buy $400,000 worth of luxury goods between May and September of this year. A Luxury Daily article analyzing the impact of the breach on Saks’ reputation says it’s likely to be minimal because it was small, local, and the thieves were apprehended. Only 22 customers were affected; they were notified immediately and their accounts restored, says the report. But the breach came from an internal employee who stole the customers’ personal information from the store’s computers.
Gustavo Gomez, director of research and methodology at Envirosell, a retail analysis firm in New York, says the incident serves as a wake-up call to Saks and other retailers.
“Security must be top and center of your retail operations. It is not only a legal issue but one that can jeopardize years of building brand trust,” he told Luxury Daily. Losing brand trust is hard enough for a major national retailer, but for an independent retailer, it can be devastating.
The Centurion Newsletter interviewed Gomez about steps an independent retailer without the resources of a large department store can do to protect against data theft.
The Centurion Newsletter: What is the single most important step an independent luxury retailer can take to prevent a data breach of customer information?
Gustavo Gomez: Security isn't about taking a single important step, but a series of steps that create safeguards. User education is one of the most important issues that need to be communicated up and down the organization. Every employee needs to know about security and be responsible for the implementation of security protocols.
Centurion: Are data breaches more likely to occur in a luxury store than a non-luxury store? Are thieves more interested in the credit card numbers of higher-income consumers who presumably have higher credit limits?
Gomez: I've not seen data that suggest that luxury retailers are targeted more often than non-luxury stores. The big breaches have been at Target, TJMaxx, Michaels, and, most recently, Home Depot. These breaches are about obtaining the most card numbers as possible, which is why the chains with many locations and large traffic are the ones that are most often targeted.
[But] high-income consumers will be a higher-value target. High-income consumers tend to have more credit opportunities and more information out in the world. That makes them a prime target.
Centurion: In an independent retail store, is a data breach more likely to be an internal employee or an external hacker?
Gomez: The trend seems to be towards bigger retailers since they process a lot more credit cards and provide a treasure for hackers. That being said, small chains and individual stores have been victims of breaches. Independent retail stores have to be as vigilant—if not more vigilant—than the big retailers since they may not have the resources to deal with the security and PR after the fact.
Centurion: Given the merchandise they handle, jewelers typically vet employees for security before hiring. Is there anything different that needs to be done to vet them for data fraud?
Gomez: Any employee that has access to credit card or customer data should be vetted the same way as an employee that will handle cash. If you don't trust an employee with your cash [or your merchandise], don't trust the person with your customers’ data.
Centurion: What can a luxury jeweler can do in conjunction with a third-party credit processing service to cut down on potential breaches?
Gomez: Five steps include:
- Follow the standard security protocols established by the credit card processing service.
- Invest in the latest credit card reading technology
- Never keep more information from your customers than you need. That includes social security numbers, dates of birth, PIN numbers, and security codes.
- Safely destroy all receipts and any documents with personal information.
- Monitor credit card sales as you would your cash sales. Look for any suspicious or atypical activity.
Centurion: If a breach occurs, what is the first step a jeweler should do? And how do they go about preserving their reputation with customers?
Gomez: First, stop the breach. Second, set a plan to fix the exposure and implement it ASAP. At the same time, inform the customers that were affected with an honest assessment of the situation and how you plan to fix it. [Next], assess if all customers need to be informed and be honest with them about the situation. The brand will take a trust hit, but if honesty comes through in your communication, then trust can be rebuilt.
Centurion: What are some warning signs a jeweler might see that indicate a breach has occurred or that an employee might be involved in a fraud scam?
Gomez: Monitor all invoices, credit card statements, and any logs provided by credit card processing companies for unusual activity. All this information has to be treated as you would treat your cash. Don't wait for the accountant to come in to reconcile these statements—you wouldn't pile the cash in a box until the accountant's visit. Any unusual activity has to be investigated [right away].
Every employee must have individual login and passwords. Monitor activity across the system for an unusual number of logins or logins at odd hours. Many software systems generate these reports and send email to notify you of unusual activity.
Centurion: Do you have any additional advice?
Gomez: As we have learned for the breaches at major retailers, some of them knew there was a problem but took way too much time to fix it. They took a risk and lost. Independent retailers need to follow common sense:
- Individual usernames/passwords for employees
- Don't keep unnecessary data
- Monitor activity
- Install computer and software updates in a timely manner
- Change default usernames and passwords for software systems
- Empower employees with security knowledge
- Have confidential policies for reporting suspicious behavior.
It is better to fix it now and spend a little cash than to fix it later and spend more cash and reduce business.