This is page 2 of:

Facebook’s 6-Million-User Breach A Frightening Reminder To Retailers About Data-Sharing Partner Risks

June 21st, 2013

Facebook said it disabled the DYI tool, fixed the hole and reactivated the system the next day. In the interim, though, things got messy.

“We’ve concluded that approximately 6 million Facebook users had E-mail addresses or telephone numbers shared. There were other E-mail addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the E-mail addresses or telephone numbers impacted, each individual E-mail address or telephone number was only included in a download once or twice,” Facebook’s statement said. “This means, in almost all cases, an E-mail address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool. We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing. Although the practical impact of this bug is likely to be minimal since any E-mail address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it’s still something we’re upset and embarrassed by.”

That’s the problem with the ultra-connected world of social media, especially with companies—many of whom have much less sophisticated security mechanisms than Facebook—trying to come up with new and experimental ways to get people to give more information, to be used in as many creative ways as possible.

The real problem is that retailers will be blamed (with one exception) even if the breach was entirely not the chain’s fault, nor was it even something the chain could have known about.

The exception would be for those very rare instances where the breached party has stronger name recognition—and was prominently flagged to the shoppers from the beginning of the program—than the retailer. A breach with a Facebook, Google, Visa or PayPal may–just may—get some of the blame for their mishap.

Typically, though, the shopper will see it as having given their information to Walgreens or Target or Macy’s and that’s where the blame will fall. Will those shoppers stop buying stuff from that chain? If historic consumer shopping patterns hold, absolutely not. But there is a very strong chance that those shoppers willstart holding back data and cooperating less in CRM campaigns.

Ultimately, that could cost retailers a lot more money—and opportunity—than anything else.

What’s a retailer to do? Beyond the contractual commitments from partners to adhere to various security requirements sent by the chain, periodic on-site inspections and other audits—albeit unseemly, awkward, time-consuming and expensive—is something to be seriously considered.

First, if you find something, you can both fix it and penalize the partner. But much better is the second reason: the fact that you’ll be routinely—and with unannounced frequency—doing inspections will be enough to make the data-partner take your rules seriously.

Heck, if you’re going to be blamed for the breach, you might as well as get deeply involved in the process.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.