Retail Data Breaches: How You Can Learn From Others’ Mistakes

Printer-friendly versionPrinter-friendly version

Here, LIBRIS insurance encourages booksellers to think about how they secure online data to prevent a breach. LIBRIS, the insurance program supported by the American Booksellers Association, offers tailored, affordable bookstore coverage.


This year has been a bonanza for cyberhackers intent on creating retail data breaches. Major retailers hacked include Panera, Best Buy, Macy’s, Lord & Taylor, Sears, Kmart, and Saks Fifth Avenue.

According to a KPMG study quoted in Business Insider, one-third of consumers would stop shopping for an extended period at a retailer after a breach, and 19 percent would never return to that retailer.

What are the takeaways that independent booksellers can use to secure online data and prevent a breach?

1. Don’t assume you can fly under the radar.

Not just retailers with major e-commerce sites are hacked. Cyber criminals know that smaller retailers don’t often have the resources to thwart hacks.

2. Keep business and personal accounts separate.

Use separate passwords and accounts for your business and your personal banking. If someone hacks your personal e-mail and password from a personal site, they won’t be able to access your business accounts. Guard what you allow to be uploaded or attached to your computers, and always encrypt.

3. Educate yourself and employees on cyber theft

Many data breaches happen by accident when an employee unwittingly opens the door. Booksellers need to train employees regularly on how to generate strong passwords, properly file and store data, and avoid malware. Limiting employee access to websites outside the scope of their daily duties will help thwart a hacker’s entrance.

Hackers have become particularly adept at phishing. With a little social media snooping and e-mail contact, they can access login credentials. Train employees on:

  • Basic preventative measures: How to recognize a phishing attempt. Changing passwords frequently. Creating a secure password that’s at least 12 characters long, nonsensical (i.e., a combination of letters, numbers, and symbols that don’t spell out words), and totally unrelated to anything about that employee (not their dog or child’s name).
  • What their responsibilities are to protect sensitive or confidential data.

4. Protect employees

Don’t use Social Security numbers as employee ID or client account numbers. Don’t collect or keep information you don’t absolutely need. Minimize the number of places you store personal/private data.

5. Outsource payment processing

According to one expert, the weakest link of vulnerability in the credit card payment system is that merchants still handle actual card data in their systems. “Merchants need to properly combine point-to-point encryption and tokenization technologies whenever a card is swiped. The business never handles actual card data; the transaction is processed through the merchant environment,” said Dave Oder, CEO of Shift4 Corporation, as quoted in Upwork. “With only a secure token returned to the merchant along with the authorization, there’s no risk of storing vulnerable cardholder information.”

6. Vet third-party vendors

Vendors, like employees, should only be able to access what’s necessary for them to perform their work. Have digital security that compartmentalizes data without giving free rein to any user, authorized or not. Never give temporary workers or vendors access to personal information on employees or customers. 

7. Stay up-to-date

  • Adequate firewalls, anti-virus, and anti-spam software should be kept up-to-date.
  • Secure your physical terminals.
  • Ensure that frequent patches from software vendors are applied.

8. Create a breach response plan

Knowing what to do in the event of a breach will help you react that much faster, limiting the damage done. Your plan should include steps to notify customers, vendors, and staff, plus a list of resources you’ll need to contain the breach.

Does your coverage include cyber insurance?

Check with your agent or carrier to see if you would be covered if your credit card system or database is compromised. Often, you can easily and cost effectively add cyber liability to your policy. LIBRIS representatives are happy to review your current policy coverages with you and your agent. Visit the LIBRIS website to get started.


Have questions on risk, safety inspections, or insurance terms on lease agreements? Want a free, no-obligation insurance quote? Contact LIBRIS today at (888) 694-8585 or LIBRIS@ArrowheadGrp.com.