Sadly, we learned of this hack LAST week when it actually happened in...wait for it...April 2019–almost a year ago.
I predict that hacking is going to happen to more and more brands and stores in our industry. I think these victims will either turn over most online operations to a third party—or close due to costs. I know of a jewelry store that had fraud and closed. It’s a reality because fraud costs can be massive. Doordash is battling a data breach lawsuit now and it’s costing them millions of dollars. Fraud is one reason that more businesses are relying on Facebook. Businesses can operate there (i.e. share news, sell via the Marketplace, etc.) and be ’safe’….granted if one ignores the ads from Russia.
Ask yourself: how many businesses have been hacked in our industry? Then imagine that may be 1/100th of those that truly got hacked. I believe we have hundreds of businesses that are hacked but don’t know it. How would they? That’s the problem with being hacked: one often doesn’t know.
A leading problem is that many ‘mom-and-pop’ sites were built years ago--some 10+ years ago. Internet years are like dog years, and that 10 years might as well be 70 years! When you visit these sites, they are likely harboring malware and may be hacked. While I support indie stores, the issue is: you shop at your own risk. Old tech = bad tech and bad tech often leads to: hacked customers.
Even if a site was built just two years ago, it has a higher chance of being infected. Think of sites like food: these sites have ‘expiration dates’ on them and the stores keep serving this ‘food’ to customers at the risk of the customer. It’s producing ‘food poisoning’ in the form of credit card and identify theft. While most store owners will tell you they have had their credit card information stolen at market, or via another route, most will balk when asked to pay to update their website to make it secure.
The safety of our retail websites reminds me of the need for food regulation in New York City. Vendors used to use dirty, wood pushcarts to house and sell food around the city. Over the decades, the city passed laws to limit those carts because many were not sanitary. The goal: put food in refrigerated, clean stores. With a similar goal in mind, the city gives health grades to restaurants in the form of a letter, and they display that letter grade in their window. Maybe retail sites should have to display a letter grade? Do we need a 'Department of Web Health' to monitor sites?
Currently, no legislation or agency manages online stores to proactively ensure site safety or prevent identity theft. There are only laws that deal with theft after it occurs. I know this because my company dealt with a hacking issue caused by Adobe. This approach is like only caring about food sanitation and quality after customers get sick. We’re in the wooden cart era of retail website security.
I believe that brands, retailers, and hosting companies need to collaborate, improve their security practices, and promote good actors. If we don’t, Uncle Sam may do it for us.
I’d give our industry a failing grade on website security. I think that we can fix this by supporting a website grading system for our industry.
PS - Curious what impact the NYC restaurant letter-grading system has on restaurants? Check out this article: