Personal data of thousands of Saks Fifth Avenue customers exposed

Dive Brief:

Saks Fifth Avenue online customers were subjected to privacy vulnerabilities when their personal information, including email, phone numbers and IP addresses were visible via open WiFi networks, Buzzfeed News reported on Sunday.
Saks owner Hudson’s Bay Co., which maintains the retailer’s e-commerce site, took the affected pages offline after Buzzfeed inquired about the issue, which potentially affected tens of thousands of shoppers, according to the report.
Hudson's Bay acknowledged that some customer data was revealed, but it refuted the proportion of the claims, telling Buzzfeed in a prepared statement: “We want to reassure our customers that no credit, payment or password information was ever exposed. The security of our customers is of utmost priority, and we are moving quickly and aggressively to resolve the situation, which is limited to a low single-digit percentage of email addresses. We have resolved any issue related to customer phone numbers, which was an even smaller percent.”

Dive Insight:

While the details and resulting impacts of this particular data breach are still unclear, the vulnerability itself is not uncommon for the industry. Retailers experience the most cyberattacks of any industry sector — three times as many as the previous top target, the financial industry — according to information and communications technology firm NTT Group's 2016 Global Threat Intelligence Report.

NTT Group notes that 22% of all incident response engagements in 2015 originated from the retail vertical market client base, just ahead of the finance vertical (18%), with many attacks against retailers using spear phishing (i.e., email that appears to be from a known individual or business). Some 65% of attacks originated from U.S. IP addresses, up from 49% in 2013 and 56% in 2014, though hackers themselves could be operating anywhere in the world, the report states.

It’s not just hackers, either. Everyone — retailers included — is moving online for more and more tasks and activities. And for retailers, it’s not just the very real matter of boosting their e-commerce and mobile capabilities, but also maintaining security as more consumers use connected devices, the cloud and social media. When shoppers take advantage of free WiFi in places like coffee shops, vulnerabilities like the one found by Buzzfeed take hold.

The repercussions can be catastrophic. According to professional services firm KPMG’s 2016 Consumer Loss Barometer, 19% of U.S. consumers said they would stop shopping at a retailer that had fallen victim to a cybersecurity hack, even if the company took the necessary steps to remedy the issue. Another 33% said concerns over additional exposure of personal information would prevent them from shopping at a breached merchant for at least three months.

Yet many retailers have advanced their cybersecurity efforts only so far, upgrading and fortifying their IT systems to meet payment card industry (PCI) security standards but rarely stretching beyond those minimums. “It only takes one gap, it only takes one hole,” Stephen Boyer, co-founder and CTO of BitSight, told Retail Dive. “You can have a lot of locked doors, but one window’s open and you have a problem.”