DRJ Spring 2020

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 32, Issue 4

Full Contents Now Available!

Monday, 03 August 2015 05:00

How Do You Know What To Say?

Written by  Vicki Thomas

Column-8-3-15If you’re an online photo center customer of WalMart, Tesco, CVS, Rite Aid, Costco or Sam’s Club you may have received a similar email:

We were recently informed of a potential compromise of customer credit card data involving Walmart Canada’s Photocentre website, walmartphotocentre.ca, which is governed by a third-party. Our customers’ privacy is of the utmost importance. We immediately launched an investigation are are contacting our customers who may be impacted. As a Walmart Online Photocentre Customer whose transactions may have been affected, we recommend monitoring card transactions closely and contacting your financial institution about any unauthorized charges. (Excerpted from an email dated July 21, 2015)

Normally I delete such emails - I often receive emails from TD Bank and RBC Bank informing me that my accounts have been compromised… I don’t bank at either of these banks…But this email from Walmart had me thinking twice. I did use their online photo website and to be honest, at the time I didn’t think twice about submitting my credit card details online. In fact I never ever think twice about submitting my credit card details online, completing email money transfers, or similar digital transactions. But maybe I should be be thinking about this a bit more carefully?

A little bit of research reveals and reminds me that online data breaches such as this one are not rare, in fact they are more common than we like to believe. But of course the risk that my data (or yours) is going to be plucked out is very rare.

Regardless, of this, a data breach such as the one experienced by some of the major retailers in the Canada, the United States, and Europe is a massive headache and public relations disaster. Interestingly there has been very little public outcry about this data breach. Are consumers becoming complacent to such email warnings and suspected breaches? Or did the proactive nature of Walmart and other companies nullify concerns?

While the news coverage on this data breach has been rather thin, what is interesting is how well these companies are surviving this rather public disaster. In all likelihood it’s because all of the affected companies can all point to one common denominator: PNI Digital Media. PNI Digital Media is a third-party service provider which manages and hosts digital photo sites (PNI Digital Media is owned by Staples).

In all of the news articles read, there are oblique references to PNI Digital Media that are strong enough to easily deflect attention away from the affected company. So why not an outcry over PNI Digital Media? Likely because the PNI’s customers are not you or I, they are big business and the outcry that is occurring is a private one that is happening behind closed doors across boardroom tables.

So what of the issue of online security and privacy? The issues that are more than likely top-of-mind at PNI Digital Media and its clients. Well, none of the major news outlets touched on this at all in their coverage of this data breach. The main message was that of calm and no need for front-line customer concern. It was only when reading an article on escurityplanet.com that deeper concerns are brought up:

In a statement provided to Reuters, Staples vice president of global communications Kirk Saville said, "We take the protection of information very seriously. PNI is investigating a potential credit card data issue, and outside security experts are assisting in the investigation.

IDT911 chairman and founder Adam Levin told eSecurity Planet by email that businesses need to be sure to hire vendors with a clear track record of strong security practices. "When it comes to protecting consumer data, good cyber hygiene must be ingrained in a corporate culture and include everyone from the mailroom to the board," he said. "An organization must demand the same from its partners and vendors."

"A system is only as strong as its weakest link, and in incident after incident vendors are proving to be the weakest link," Levin added.

And Tim Erlin, director of IT security and risk strategy at Tripwire, said several recent breaches have made information security teams aware of the risks of working with third party service providers. "While outsourcing may provide a reduction in cost to the business, the potential risk has to be part of the overall calculation," he said.

"In these cases, where credit card data has been stolen from a third party vendor, it’s the major brand that hits the headlines," Erlin added. (esecurityplanet.com)

Maybe you run an organization that relies on third-party service providers… Maybe you run a company that offers such services to clients…. Maybe you’re a front-line customer who is tired of receiving these warning emails…

Are there any clear-cut answers or solutions on how to respond to data breaches - publicly and privately? This is where business continuity gets a bit tricky - how much do you say without raising too many alarms, but if you don’t say enough - what alarms will you raise? And is this really a business continuity issue - when does this become an incident/disaster/threat - when there is a risk of a data breach or when it’s actually proven?

To read a sampling of the news coverage on this data breach: