Chili's and Macy's teach very different lessons about breach response
Each new day seems to bring a revelation of another data breach. They happen with such frequency now that they have become commonplace and the media and their readers seem to be losing interest.
However, two recent breaches warrant additional attention as a learning opportunity for the remarkable contrast in how each was handled by the companies that suffered them: Chili’s and Macy’s.
On May 11, Chili’s reported that it had experienced a breach. So what? Just another breach. What was noteworthy about the Chili’s breach is how fast it was discovered and how quickly the popular restaurant chain’s payment partners and customers were notified.
Within hours of learning about the breach, Brinker International, parent company of the Chili’s chain, issued a news release, website notice and social media advisories informing consumers and other interested parties of the incident. Brinker immediately shared what was known, shared what it didn’t yet know about the scope of the breach and underlying causes, and offered intelligent advice to consumers whose payment information may have been compromised.
This simple and selfless action allowed Chili’s customers to immediately begin checking their debit and credit card accounts for unusual charges. This gave the hackers who stole the payment card data far less time to exploit the stolen debit and credit cards than they otherwise would have had. Brinker’s candor and quick action made the breach less valuable to criminals.
“Upon learning of this incident, we immediately activated our response plan,” the Brinker press release read. “We are working with third-party forensic experts to conduct a thorough investigation to determine the details of what happened. Law enforcement has been notified of this incident and we will continue to fully cooperate.”
Brinker’s good-citizen response was in sharp contrast to so many others that we see, where major brands announce data breaches many months after they have discovered them. By delaying disclosure, they risk exposing customers, financial institutions and card issuers to additional loss. These costs are invariably passed on to customers in the form of higher prices and fees.
While there are many things consumers admire about Macy’s, the retailer's recent hacking response protocol is not one of them. The company waited a month to notify customers following an ongoing breach of Macys.com and Bloomingdales.com customer accounts. The breach permitted an unauthorized party to access customer names, addresses, phone numbers, email addresses, birthdays and debit or credit card numbers with expiration dates. A company spokesperson stated that the retailer has since added additional security measures as a precaution, which likely sent a few puzzled customers and partners to the dictionary to double-check the definition of the word.
Consumers need to know whether the firms that they’ve entrusted with their confidential information have implemented security measures that follow best practices. Unfortunately, the ever-increasing number of data breaches indicates that in many situations, this isn’t the case. Most firms implement necessary security, such as multifactor authentication, but additional regulation is needed to ensure that all of them do.
Fortunately, recent advancements in anti-fraud technology such as biometrics, behavior analysis and adaptive authentication are making the job of stopping hackers easier. These new technologies ease the burden on users and provide strong protection against hacking threats.
In the meantime, Brinker’s approach with Chili’s serves as a model for other consumer-facing brands entrusted with their customers’ payment data.
The formula for success includes embracing the latest PCI standards completely, adopting layered, in-depth security strategies with multifactor authentication and risk analysis to validate trusted identities across all channels, ensuring cybersecurity plans and programs have a breach notification component, notifying consumers and other stakeholders immediately should a breach occur, provide updated information on the investigation process and status and treating customers and payments ecosystem partners as the invaluable partners in commerce and security that they are.
Breaches will always be a part of life as long as there is electronic data and the internet. Custodians of sensitive data need to make the investment necessary to protect against breaches and they need to be responsible enough to mitigate the losses for all parties when a breach happens.