Retail Security Threat Season is in Full Swing

As the primary buying season closes, and we move into New Year sales and gift refunds, we can 'relax' and see what types of holiday data breach pop up.

About nine out of ten of us planned to do holiday season shopping -- so, not absolutely everyone was looking to make a purchase. But for us folks who decided to flex our credit cards, about 75% of us are worried about data breaches during this season, according to a Generali Global Assistance survey.

Generali claims those concerns weigh heavy, with nearly 85% of us saying we just won't do business with a retailer who has experienced a data breach in the past. So, we might choose not to snack at SONIC, send a package by UPS, buy a book from Barnes & Noble or save our feet using Uber.

"It's clear that more and more people are disgruntled and uncomfortable with the way businesses look after personal information and that's why the score is so high," Paige Schaffer, president and COO of Generali Global Assistance's Identity and Digital Protection Services Global Unit, told SecurityNow. "And that (sentiment) is not going away."

About 40% of consumers are unconvinced that retailers are doing all they can to solve the problem, and about the same number say they are even doing enough. Given the general confusion at consumer level about what can and can't be done to protect PI, it's surprising the numbers aren't higher, but perhaps it's only a matter of time. Because this is the season where retailers and consumers are, one feels, hunted by hackers like game for the Christmas table.

"There are many reasons why we see increased risk at this time of year. People are spending a ton of money, more than they usually do. And there are more transactions as a result," said Schaffer.

Consumers are generally more hurried and distracted while they make buying decisions. Then, there are people traveling during the holiday season and that increases a physical risk of losing a wallet, purse or mobile device. There are pickpockets, but only 10% of us are worried about them.

Consumers shopping online might be using unsecured public Wi-Fi, and also may be checking their bank accounts at the time. Then, there are bargain hunters who go to online sites that they're not familiar with. People also like to donate, and there are a lot of scammer sites up there with embracing arms.

Multiply all of this against the fact that people tend to spread the load over numerous credit cards, and the archetypal crisp white snow of the holidays melts into dank pools of lukewarm water.

Consumer education

Consumers have in previous years seemingly been less concerned about the data that retailers hold on file, perhaps somewhat unaware of the quantity or quality of the information, or have generally been more comfortable that it was being kept safely. Out of sight, out of mind.

Now, if this year's consumer-facing breaches weren't enough, more education is needed about what is possible and what feasibly could be demanded by consumers to protect themselves.

"The US is ahead of understanding the need for some sort of protection," said Schaffer. "It hasn't seemed as pressing an issue in Europe but now our sister companies are getting requests for it. The reason that Europe might be behind is that it's a different consumer culture.

"The US is a credit-based culture, a large percentage of the population is monitored by one of three credit bureaus - like it or not - whereas Europe is not, and there's not the reliance on credit." According to Schaffer, credit bureaus currently only cover about 10-20% of the population within European countries.

Just before the Equifax breach, Generali went through a fact-finding process, and found that about 60% of consumers recognized they wanted help defending against financial security threats. But about only 35% of them knew where they could find it, or what they needed to do.

"Speculation on my part, but purely because of Equifax, is that folks are less likely to buy (an insurance service directly) from a credit bureau right now," said Schaffer. Generally, the top three outlets for cyber insurance are specific identity insurance agencies, like Generali, or an insurance firm or bank.

The Equifax breach affected both US and European consumers, the US is acting quicker to make amends, but Europe is catching up.

"From a gut standpoint it's clear that after the Equifax breach, we did start to get a number more requests (for coverage) from Europe," said Schaffer. "Typically, it takes Europe a while (to respond) even when they're presented with the information because there's a lot of thinking about it. But, now there's a palpable sense of urgency."

Dark Web coverage

A lot of scams happen in the bright light of the regular WWW. But Generali plans a Dark Web monitoring and alert service shortly, having acknowledged that PI is for sale on underground properties, in order to protect credit card and passport numbers, and medical information.

Participants will - in a qualified way -- be asked to share their details through a Dark Web monitoring portal, which will hold consumer data and be matched by an algorithm against stolen data details.

"We know that there needs to be monitoring on the Dark Web as well," said Schaffer. "It varies from those who are willing to share all of their data to those who will share a little bit to those who will share none. But you've got to be in it to reap the benefits of it. (People should) bear in mind that one of our most treasured assets - the social security number -- is already out there."

— Simon Marshall, Technology Journalist, special to Security Now