Cyber Security Dilemmas: Data Leaks

Christmas is not only the harvest in the retail industry, but also prime time for cybercriminals. It is at this time of year that hacking attacks aimed at stealing or phishing are on the rise. This poses a problem not only for consumers, but also for companies for whom data leaks mean financial losses and damage to their reputation. Post-Christmas period is a perfect time to reflect on how can companies protect themselves against data leaks?

• Customer safety is part of building trust in the brand
• How to protect your data online while shopping
• Application and infrastructure monitoring as a way to protect against data leakage
• Leakage of customer data – to report or not to report?
• How do you communicate data leakage to your customers?

Safe shopping in the battle for customers

Recent years in e-commerce have been a time of a technological “arms race” for each customer. Today, we are not simply shopping online, but experiencing a personalised shopping experience. This is to make it easier for us to complete our shopping basket and encourage us to return to the site in the future.

An important part of the aforementioned positive shopping experience is building trust in a brand. Part of that trust is ensuring our customers have a safe online shopping experience. We can do this by educating users about hacking threats and by investing in tools and technologies that protect against cyber-attacks.

How can customers protect their data?

According to the study “Reliability of online shops” commissioned by ChronPESEL.pl and Rzetelna Firma, one in four respondents has heard of a leak of customers' personal data from a shop they used. On the other hand, 6 percent of online shoppers declared that their data had actually been made available to unauthorised persons. Analysing e-commerce statistics on the number of online shoppers, more than 1.3 million people have had to deal with such a situation.

What should be reminded to our customers to feel safe during the pre-Christmas shopping frenzy in online shops?

Firstly, let’s draw the attention of our website users to fake e-shops, especially those impersonating other sites. The warning light should go on when the offers on a particular e-store are unrealistically attractive or when the site itself looks suspicious.

Secondly, let us educate our customers about phishing attacks. The pre-Christmas period is a rush of attempts to extract confidential data through emails, phone calls and text messages with information about supposedly unfinished shopping transactions or unpaid courier shipments. Caution customers against clicking on suspicious links sent by email or phone and against giving out personal or confidential information during phone calls. Encourage secure payments based on two-step authentication of transactions.

How do we protect our customers’ data?

Educating customers is one thing but keeping them safe on our website is a separate issue. In this age of increased cybercriminal activity, we should be prepared for hacking attacks and their consequences. How? It is worth introducing an early threat detection policy in your company, monitoring the performance and security of your business applications and infrastructure.

At The Codest, we provide continuous monitoring services for the performance as well as the security of IT systems based on the client’s own or cloud-based infrastructure (or both at the same time).

This monitoring services focuses on the performance of the systems in operation in terms of throughput, as well as the quality of integration of connected IT systems. This includes such important aspects in e-commerce as payment gateways, shipping systems and connected CRM and ERP systems.

A crucial element in protecting against data leakage is the need to test for cyberattack threats the production environment, i.e., that which is available to the end customer. Periodic testing is designed to catch potential vulnerabilities in systems and allow them to be fixed before an incident occurs. Every change and update in the IT area, before it is published, is tested to catch errors.

The service in question is the 24/7 service of the DevOps team, i.e., the programming and operations sections, where both programming and administrative competencies take care of ensuring the performance and security of customers’ business applications.

Leakage of customer data – what does the law say?

Prior to the GDPR era, the controller’s obligation to inform about data leaks was optional, regardless of the scale of the threat. Nowadays, if the disclosure of data is likely to cause an elevated risk of infringement of the rights and freedoms of the affected persons, the controller is obliged to inform these persons about the data leak or theft. We must also report this to the Data Protection Authority. Here, however, several questions arise.

Firstly, it is up to the controller to interpret whether a data leakage constitutes a minor incident (about which users do not need to be informed) or already a personal data breach. Secondly, there are several grounds listed in the GDPR under which we do not need to inform users that their data has been leaked.

Many companies are therefore faced with the dilemma of what to do when their customer data has seen the light of day. From The Codest’s perspective, in the vast majority of cases we should inform the customers of such an event. This is what building brand trust is all about.

How to communicate data leakage to your customers?

The milk has spilled. We have fallen victim to a data leak. What should we do next? First of all, we should have an action strategy in place. On the one hand, this must include operational measures, i.e., countermeasures to minimise the effects of the leak. On the other hand, you should maintain transparent, ongoing communication with customers about the leak. This will help you avoid or limit the escalation of a potential image crisis and loss of customer confidence.

According to another survey commissioned by Chronpesel.pl together with the National Debt Register, people who have fallen victim to a leak expect to be informed as soon as possible that a breach of data protection has occurred and what is its extent (about 60 percent of answers). In addition, respondents want information on what the controller did to avoid similar situations in the future (close to 57 per cent), as well as to whom the leaked data could have gone (over 53 per cent). The last thing we want is for them to find out about data leaks from the media or their anti-virus software. We need to give them the chance to take care and “protect” their personalities.

What are the golden rules of communication when faced with a data leak? First of all, let’s inform our customers about the incident. Let us show that the situation is under control, that we are consciously managing it. Outline what we are doing to minimise the negative effects of the leak. Finally, what measures we plan to implement to prevent a similar situation in the future.

Protect the data, protect the customer

According to the “E-commerce in Poland'' report compiled by Gemius, 77 percent of all Internet users already shop online. One in three respondents admit that they do so more often now than before the pandemic. A similar percentage notes that they purchase more products online after the pandemic. The e-commerce market itself is also growing at an extremely fast pace. This translates into more cyber-attacks on the personal data of online users. It is worth thinking about this especially before Christmas, treating an investment in security to protect our user databases as the best practical Christmas present we can give our customers.