Meta description: Data theft is a risk for any eCommerce retailer. Protecting customer means understanding what data you store and how to store it securely.
How To Protect eCommerce Customer Data From Data Thieves
The eCommerce industry oversees hundreds of millions of transactions every day. To fulfill them, retailers need to know a lot about their customers, including names, postal addresses, telephone numbers, email addresses, and more. They also store analytics data, as well as personal purchase histories. In some circumstances, they may store location data And, although most eCommerce businesses do not store credit card numbers, instead using third-party payment processors, some may choose to store those too.
Retailers store all that data because it’s useful and valuable, among the most valuable assets an eCommerce business owns. It plays a vital role in marketing and formulating business strategy. But eCommerce businesses aren’t the only ones who value that data. Online criminals reap substantial rewards from selling personal data or using it for identity theft and fraud. Online retailers can expect to be targeted for data theft and must be alert to the risks and effective mitigation techniques.
In this article, we’re going to talk about some of the ways all that data might be exposed and what retailers can do to protect their businesses and their customers' data.
What and Where?
Dark data is data that a business stores even though it has no idea of its contents. Businesses generate a deluge of data from many sources, and they store it in case it proves valuable. Storage is cheap. But if you don’t understand what is in that data, it poses security and regulatory risks. Businesses aren’t excused from the consequences of data leaks when they claim they didn’t know a dusty server that hadn’t been updated for three years was brimming with the personal details of their customers.
The first step is understanding where data is stored. This might not be as easy as it sounds, given the vast number of storage options. But you can’t protect data that you can’t find. The second step is understanding what is being stored. A thorough audit may be the only way to be sure.
Delete What You Don’t Need
Customer data can’t be stolen from you if you don’t have it. If you aren’t using it for analytics or other purposes, it’s all downside, risk with no reward. Delete data that serves no purpose. In fact, it’s better if you don’t have to delete data in the first place: if you don’t need it, don’t store it. The best approach is to implement policies that state data should only be stored for a clearly expressed reason. Don’t store data just in case it might be useful. Understand why you want data, then collect it, and when you don’t need it anymore, delete it.
Understand Your Storage Platforms
In the last few years, data leaks have made many businesses look technically incompetent. They leaked data not because of a sophisticated hack, but because they forgot to password-protect a database or uploaded sensitive data to an S3 bucket and left it wide open for everyone on the internet to peruse. One of the worst examples is a defense contractor uploading intelligence data to cloud storage without understanding how the access controls worked.
Once you understand which data your eCommerce business stores and where you must verify that it’s stored securely and that everyone with a web browser can’t see it. If your business doesn’t have the technical expertise to store data securely, use a managed service or hire a developer with data security expertise to build a secure system for you.
Watch Out For Supply-Chain Attacks
A supply chain attack involves a criminal targeting popular third-party software, infecting it with malicious code, and waiting for users to install it. The Magecart group has caused headaches for retailers in recent years, and supply chain attacks are their favored technique. Earlier this year, Magecart compromised Shopper Approved, a service used on many retail sites. The Shopper Approved code was then installed on Ticketmaster, Newegg, and British Airways sites, providing a lucrative collection of credit card numbers for the criminals to exploit.
Supply chain attacks are difficult to identify and mitigate: the malicious code comes from a source you already trust. The best solution is to carefully check every piece of code running on your store, but that’s impractical and expensive. You should, however, monitor third-party software for reports of security problems, take care where you get software from, and use the tools the browser provides to defend against malicious code, including Subresource Integrity and Content Security Policies.
Manage Users Securely
We’d all like to think that our employees are honest and wouldn’t do anything to hurt the business. But the reality is that many data leaks are inside jobs. It’s impossible to eliminate the risk of insider threats. You have to trust employees, or nothing would get done. But following a few simple user management policies reduces the risk.
- Give people the least possible access. If an employee is tasked with adding products to your Magento store, they don’t need access to the names and addresses of every customer. Magento includes access control lists that can be used to limit access.
- Delete unused user accounts promptly. When someone leaves the company, delete their user accounts on your store and any data storage systems.
- Give employees their own accounts. A common mistake is to allow everyone in the office to use the same user account. That might be convenient when the intern forgets his password for the fifth time in a week, but it’s terrible for security. When the intern leaves, he still has the password, and changing the password everyone uses is a headache, so it doesn’t get done. If everyone has a user account with appropriate permissions, this problem doesn’t arise.
Data theft is one of the biggest risks retail businesses face. Leaking personal information will damage your business’s reputation and attract the attention of regulators, especially in the GDPR era. Retailers who implement policies that encourage the precautions we’ve discussed in this article are less likely to fall prey to data thieves.
About Graeme Caldwell - Graeme is a writer and content marketer at Nexcess, a global provider of hosting services, who has a knack for making tech-heavy topics interesting and engaging to all readers. His articles have been featured on top publications across the net, TechCrunch to TemplateMonster. For more content, visit the Nexcess blog and give them a follow at @nexcess.