This is page 2 of:
Facebook’s 6-Million-User Breach A Frightening Reminder To Retailers About Data-Sharing Partner Risks
Facebook said it disabled the DYI tool, fixed the hole and reactivated the system the next day. In the interim, though, things got messy.
“We’ve concluded that approximately 6 million Facebook users had E-mail addresses or telephone numbers shared. There were other E-mail addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the E-mail addresses or telephone numbers impacted, each individual E-mail address or telephone number was only included in a download once or twice,” Facebook’s statement said. “This means, in almost all cases, an E-mail address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool. We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing. Although the practical impact of this bug is likely to be minimal since any E-mail address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it’s still something we’re upset and embarrassed by.”
That’s the problem with the ultra-connected world of social media, especially with companies—many of whom have much less sophisticated security mechanisms than Facebook—trying to come up with new and experimental ways to get people to give more information, to be used in as many creative ways as possible.
The real problem is that retailers will be blamed (with one exception) even if the breach was entirely not the chain’s fault, nor was it even something the chain could have known about.
The exception would be for those very rare instances where the breached party has stronger name recognition—and was prominently flagged to the shoppers from the beginning of the program—than the retailer. A breach with a Facebook, Google, Visa or PayPal may–just may—get some of the blame for their mishap.
Typically, though, the shopper will see it as having given their information to Walgreens or Target or Macy’s and that’s where the blame will fall. Will those shoppers stop buying stuff from that chain? If historic consumer shopping patterns hold, absolutely not. But there is a very strong chance that those shoppers willstart holding back data and cooperating less in CRM campaigns.
Ultimately, that could cost retailers a lot more money—and opportunity—than anything else.
What’s a retailer to do? Beyond the contractual commitments from partners to adhere to various security requirements sent by the chain, periodic on-site inspections and other audits—albeit unseemly, awkward, time-consuming and expensive—is something to be seriously considered.
First, if you find something, you can both fix it and penalize the partner. But much better is the second reason: the fact that you’ll be routinely—and with unannounced frequency—doing inspections will be enough to make the data-partner take your rules seriously.
Heck, if you’re going to be blamed for the breach, you might as well as get deeply involved in the process.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
