HBC and GDPR: Big Letters, Big Data, Big Impact
April 4, 2018

By: Andre Boysen, CIO, SecureKey

Another day, another data breach.

Sunday’s revelation of the most recent data breach at Hudson’s Bay Company subsidiaries Saks Fifth Avenue, Saks OFF 5th and Lord & Taylor saw me and roughly 5 million others asking the same question: seriously?

Let’s take a look at the facts: 

  • This particular instance appeared to be a physical access attack. Fraudsters were able to insert a skimming device to read mag-stripe card data at the credit card terminal or in the communications channel.
  • The above skimming and data vulnerability went undetected for some time, reportedly for up to one year.
  • It’s important to remember that this was a mag-stripe attack, not an EMV chip card attack.
  • Mag-stripes and passwords were introduced around the same time and they have the same weakness: they are static. Much like knowing someone’s password, getting a copy of the mag-stripe data allows for a convincing replica to be produced for use at a terminal as if it were the original card.
  • Mag-stripes are being phased out around the world for this reason and most of the world has already completed the conversion. Mag-stripes are there to help those issuers who have not yet completely converted to EMV chip cards. This is important because the U.S. was the last to convert.
  • HBC should have been conducting physical network security inspections on a regular basis to check for rogue equipment.

The reality is that an organization like HBC should have known better. Today there should be no excuse for failing to protect consumer data when they entrust it to you. So, what’s next? If HBC and the growing number of organizations falling victim to avoidable data breaches aren’t learning from each other, how can the digital economy survive?

Luckily, General Data Protection Regulation (GDPR) is on the horizon. Although currently coming into fruition in EU countries, non-EU jurisdictions will likely enact similar regulation in the near future. These regulations will spur some extremely important data- and consumer-centric conversations, have powerful effects on those companies that do not responsibly manage consumer data, and have a net positive impact on the digital economy’s secure future.

Here’s a quick breakdown of the most important things you need to know and what a GDPR future could be like:

  • GDPR levels the power relationship between consumers and those that acquire and manage their data.
  • The most important concept in the regulation is that it allows consumers to assert their right to be forgotten. This obliges the organizations in possession of this data to truly delete all data related to the consumer, should they ask.
  • In the social media age, the sophistication of discontent campaigns continues to grow (#DeleteFacebook, #BoycottTimHortons and #BoycottUnitedAirlines immediately come to mind). An organization that poorly manages data could find itself in the crosshairs of powerful social movements. With GDPR and consumers’ right to be forgotten, the powerful hashtags that result in real action could transition from #Delete and #Boycott to #ForgetMe. The cost and logistics of honouring consumers’ wish to be forgotten cannot be understated.
  • In our current “GDPR-less” digital economy, many companies have poorly architected back-end systems. Each time a new service is rolled out, another copy of the data is often created. For companies who already don’t manage consumer data responsibly – and don’t have an appreciation for consumer rights to privacy, security and trust – trying to pick through all the places where consumers’ data may be held, after GDPR comes into place and someone wants to be forgotten, will be a nightmare. It’s time organizations manage the data they are responsible for with respect and foresight.
  • Finally, GDPR also allows the regulator to assess a fine of up to 4% of global revenues for non-complying organizations. That is no small sum.

Regardless of when GDPR comes to an organization’s doorstep, in whatever country they may be, the time for businesses to start taking data storage seriously is now. The introduction of GDPR will give consumers real clout to hold organizations accountable for their data management failures.

I, for one, as a consumer and digital identity advocate, could not be more excited.