Retailers have fallen victim to large-scale data breaches in the past — look at TJ Maxx in 2007 when 45 million credit and debit card numbers were stolen from its IT systems. Fast-forward to 2011, and breaches at Sony and Epsilon have shown that this trend is continuing to plague the retail industry. What's different is that these recent data breaches illustrate how hackers are increasingly targeting personally identifiable information (PII), such as e-mal addresses, instead of financial information like credit card numbers.

 

Most government and other mandatory industry regulations have focused on the protection of financial data, primarily credit card and bank account numbers, and rightly so. Credit card numbers have become widely used as the central identifier in customer records, and large retail organizations typically store credit card data in every critical business processing system. In the arena of financial data protection, a lot of money is being thrown at the problem, which naturally makes it the number one focus for data security vendors, retailers and payments processors alike. With all the attention on securing payment cards data, the criminal society has started looking elsewhere for lower-hanging fruit, and has found it in the form of e-mail addresses.

 

Cybercriminals armed with PII like e-mail address can sell the information on the black market or move forward with highly lucrative phishing or other scams on their own. Phishing is the fastest-growing tactic used by cybercriminals to extract valuable data, since bank and credit card information has become so much harder to get directly. Phishing is popular among cybercriminals because it focuses on the weakest link in any security chain: people. People naturally trust names and information that are familiar and expected, so they fall victim relatively easily to these scams.

 

How big is this market? According to analyst firm Frost and Sullivan, the global black market for e-mail addresses and national ID numbers is now worth about $5 billion.

 

Do I have your attention now?

 

Let's take a look at Epsilon, the largest distributor of permission-based e-mail in the world. In the case of their breach, the thieves acquired the kind of information needed to launch sophisticated phishing schemes — the e-mail addresses and first names of people who had opted in to receive information from specific organizations including retailers like Target, Best Buy and Walgreens. So when users receive nicely-formatted e-mails that are not only personalized but come from a site they are registered with, there's a good chance they'll click links and answer questions they might not have otherwise done had the request arrived from an unfamiliar source.

 

Here are a few data security best practices that retailers can implement to protect PII and mitigate the risk of brand and financial damage resulting from an Epsilon-like data breach:

 

1. Treat PII data as if it were financial information. Since there are a few, if any, available guidelines on the protection of PII data, look to more established regulations for guidance. By protecting PII as you would financial information, you will ensure that you have the best security measures in place to mitigate the next breach. Organizations can refer to publically available guidelines, such as the Payment Card Industry Data Security Standards 2.0 (PCI DSS 2.0), to establish an internal PII data security policy that is run by the corporate security office.

 

2. Protect the actual data and know where it's going. Most companies have focused their data protection strategies on protecting the perimeter where the data is stored, rather than protecting the actual data. Start with an internal data classification audit that walks through data flow for your internal business processes, as well as all external processes with third party vendors, to identify all potentially sensitive data. It's important to remember that if you outsource your database hosting duties, it doesn't mean you outsource your liability in the event of a data breach — just ask all of the organizations affected by the Epsilon breach.

 

3. Apply appropriate protective measures to your PII. While Epsilon did not disclose the type of data security solution it was using when its servers were breached, the company reportedly was not using encryption. Organizations need to actively monitor emerging data security solutions because it's clear that older technologies such as monitoring and access control are no longer sufficient. At a minimum, security firms including industry leader Securosis are confirming that tokenization provides the strongest and most cost-effective data security available today.

 

4. Audit your data flow, including outsourced partners and vendors with access to customer data. Once you understand your data flow and have classified the data, you need to ensure that any vendors with access to the data comply with your standards for data security. At a minimum, you need to know what type of security solution your third party provider is using for data transit and data at rest, and when and how frequently it is audited.

 

5. Ensure separation of church and state. Creating a separation of duties between the corporate security office and the database administrator will ensure that no single individual or group controls access to information in the database without oversight of the Chief Security Officer (CSO), mitigating the chance of a WikiLeaks-style data breach.