An investigation is under way after Kmart Australia confirmed some of its customers’ private details have been hacked in an online security breach. In a statement published on the company’s website, Kmart Australia stated that some customers’ identity (name), email address, delivery and billing address, telephone number and product purchase details were accessed in the breach, but no online customer credit card or other payment details have been compromised or accessed. The statement also said that customers affected have been sent an email to inform them of the privacy breach.
Mark Bower, global director at HP Security Voltage, says: “This hack underscores the need for companies to protect all of the sensitive information they hold on their customers. Criminals are always looking for a way to exploit a system in a way that they can then turn into cold hard cash. In this case there is a further risk in that personal information about the user such as their name, full address, phone number and email address was taken. Criminals could then use this information or sell it on for use in more targeted larger-scale spear-phishing or identity theft attacks. Beyond the threat to customers’ sensitive data, companies need to be concerned with the impact such an event can have on their reputation and, ultimately, on their bottom line. A data-centric approach to security is the key cornerstone needed to allow companies to mitigate the risk and impact of these types of attacks.
While credit card data may remain safe here, one has to ask why other personal data wasn’t protected in the same manner. With the available technologies today to protect sensitive data very easily and quickly, it’s a simple matter to cover all sensitive data bases to protect consumer trust and satisfaction. Securing sensitive personal data, which is commonly attacked to conduct fraud and irritating phone scams and phishing attacks at the expense and inconvenience of the Australian consumer, is a duty of every Australian business today and not optional without being forced to by government regulations”
Lisa Baergen, director at NuData Security, adds: “While Kmart may be downplaying this situation, breaches like this continue to be of extreme significance and concern. Even though it is believed financial information remained secure, hackers were able to access the names, addresses, phone numbers and emails of Kmart customers. What victims of a breach don’t always recognise is that every bit of information is important, so while they are downplaying the information leaked, consumers need to be more aware of the ramifications. Coupled with details from the rising number of breaches we continue to see, more comprehensive identities can be built and sold for a higher value to hackers on the dark web. So while financial details may not have been compromised this time, it won’t be long before fraudsters piece together more comprehensive bundles of information with details that include credit card numbers, passwords and more.
These ‘bundles’ contain much more complete, and increasingly dangerous information around specific individuals, meaning there are more opportunities for fraud to take place. For example, with enough data collected from separate breaches, a fraudster could gain access to financial and geographical information such as passwords and credit card numbers; they can fill out a loan application or apply for new credit cards. There is a multitude of ways to commit fraud with larger bundles of information. Fortunately, there is a means of stopping fraudsters from using their precious compiled data, before catastrophic damage can be done.
Organisations need to work harder to protect their consumers. We are still waiting to see the fallout for Kmart, but beyond the short term fines and legal costs, they stand to lose consumer confidence, driving loyal customers to competitors and suffering sometimes staggering profit losses, like Target’s post-breach profit lost of 50%. Regaining customer confidence is no easy task. It is time to stop being reactive to these breaches with free credit reports and stop fraudsters in advance.
The organisations at the forefront of protecting their brand and users are leveraging online fraud detection solutions that employ behavioural analysis. The completely passive system is able to identify suspicious activity, potentially coming from a fraudster who has procured legitimate account credentials, and stop any deceitful transactions from taking place. Without the need to interrupt a user’s experience, behavioural analysis serves as a means of understanding how legitimate users truly act, thereby predicting and preventing fraud from occurring."