Cyberwar Part 3: Marketing Data Collection Threatens All

Marketers are after every scrap of customer data they can get, in hopes of increasing their company's sales. Do you know they may be putting you at risk in the process? In the last of our three-part series on cyberwar, learn what IT needs to know about potential security threats rising from companies' marketing habits.



14 Creepy Ways To Use Big Data (Click image for larger view and slideshow.)

The hottest ticket in business today is big data. Data-driven decision making is all the rage, and rightfully so, in all business departments. Arguably, marketing is at its most keen and aggressive in collecting data, specifically customer data, in order to develop more personalized and highly targeted ads, pricing, and loss-leader offers. Unfortunately, gathering and storing so much personal data can put other organizations at risk.

That's because customer data tends to be the least protected in corporate databases. Generally, most companies feel some level of responsibility in protecting customer data, but it rarely takes top priority. Indeed, most companies didn't give cybersecurity much more than lip service. After all, IT budgets are slim and there's only 24 hours in a day to get all the work done.

Will the recent epidemic of data breaches, combined with a shift in legal responsibility from banks to retailers on customer banking information, change corporate practices? So far, most of the focus is on securing transactional data, specifically customer bank card data, and not on securing the details about the actual customer. The result is that customer data is easy pickings, even for hackers using unsophisticated tactics. For more sophisticated hackers, this is a bonanza of details prime for use in other, bigger, more lucrative breaches.

Hidden Dangers in Customer Data

Means used to breach any database include insider threats, phishing, and mimicking a user's credentials. All three can be achieved by learning more about individual business users in the organization. Business users are also consumers. Consumers buy things and sign up for store loyalty programs. Hungry marketers are quick to collect consumer data, online and off, with or without the customer's knowledge.

[Will the Nov. 13 attacks on Paris change your views about data protection? Read Paris Terror Attacks Renew Encryption Debate.]

Cameras in stores and at gas pumps capture customers' faces and analyze their expressions and movements. Consumer cellphones are "tapped," in a manner of speaking, so that retailers know who is within or walking past the store, and what items consumers are looking at on the premises. That data is often tied to customer social media accounts, loyalty programs, and past transactional data, so that a clerk can suddenly appear with product suggestions or a "just-in-time" personalized ad can be sent to consumers' phones.

Some retailers go even further and snatch data from every source they can find, even from governments, albeit not necessarily directly.

Data Bounty in Enhanced Driver Licenses and State IDs

Two sources of "clean" customer data, that is valid and verified identifying data, are the new federally mandated REAL ID and enhanced driver licenses.

With Real ID and enhanced driver licenses, the federal government meant to ensure users' identification in order to thwart terrorists who might use fake IDs, as they did in the 9/11 attacks. The IDs were meant to increase public safety. While state governments do share that information with certain private companies, such as insurance companies and employers who are required to confirm employee identity and citizenship, they generally guard the information fairly carefully.

Take the state of Georgia for example.

"Georgia's driver records statute, O.C.G.A. § 40-5-2, requires DDS to keep driver information confidential except in certain enumerated circumstances," a Georgia Department of Driver Services (DDS) spokesperson told InformationWeek. "For example, DDS is permitted to release driver records to insurance organizations for claims investigation activities, antifraud activities, rating, or underwriting. Such information is usually released through a contract that the insurance organization has with GTA."

Marketers, however, don't guard that info very well, if at all. But how do they get the information if the state isn't providing it?

I know of one way, but I'm sure there are others. About a year or so ago, I was in a Winn-Dixie grocery store in Georgia. The clerk asked if I wanted a loyalty card. When I said yes, she asked to see my driver's license. I expected a quick glance at it to verify my identity. Instead, the clerk took the license from my hand and scanned it. I objected quickly, but it was already too late. Winn-Dixie had my data already. So, what information did the grocer get exactly?

"All information printed on the front of a driver's license or ID is contained within the bar code," the Georgia DDS spokesperson said. "This includes the cardholder's name, address, date of birth, and physical attributes. Further limitations and/or endorsements on licensed drivers are also included in the PDF-417 barcode."

While Winn-Dixie marketers may be thinking it critical to know a consumer's physical attributes in order to sell more groceries -- maybe diet foods, if the person is overweight, or supplements, if he or she is underweight -- such information isn't really helpful to them.

Analyzing my routine purchases would tell them far more about what I'm likely to buy and thus what ads to give me at checkout or on my phone. Knowing my height, weight, age, birth date, hair color, eye color, blood type, gender, home address, maiden and married names, and whether or not I wear glasses or am an organ donor really gives them no marketing advantages over the transactional data they already have.

Yet, all that information so closely guarded by the DDS and so heavily relied upon by Homeland Security, is now sitting in a database somewhere, perhaps owned by Winn-Dixie, perhaps in the cloud, perhaps in a third-party marketing firm's database. It's also probably been sold to all and sundry by now.

All of it happened in the flash of a store clerk's swipe.

So I asked Georgia DDS about that.

"DDS does not share confidential driver information with any entity, unless DDS is authorized to do so under state and federal law," said the spokesperson. "DDS does not directly share any confidential driver information with retailers such as Winn-Dixie."

Yes, but the store got the information anyway. So now what?

"A Georgia statute, O.C.G.A. § 40-5-120(5), makes it illegal for a person to scan another person's driver's license without the consent of that person," replied the DDS spokesperson. "If the person consents, [the law states] 'the information collected may be stored and used for any legitimate purpose.'"

Well, I didn't know that at the time, so I didn't press charges. I'm well versed in both big data and cybersecurity, and it never occurred to me that I could actually call the cops over this particular form of data theft. Odds are your employees and business users are not aware of what to do in such situations either. Many may give consent without thinking through the consequences. It doesn't help matters that laws may vary from state to state, thereby adding to the confusion.

Nor would your employees or coworkers know that the information collected from their driver's license or an enhanced license, which is a driver's license that carries some passport information too, "may be stored and used for any legitimate purpose" and possibly for many illegal purposes.

This is only one anecdotal example of the depth and breadth of information marketers collect, bundle with even more data, and store for eternity. Marketers are collectively compiling the most in-depth, personally identifying information, regarding nearly every consumer on the planet, that mankind has ever seen.

All that data is now available for hackers.

"Retail, in particular big-box retail, has been driven primarily from a low-cost IT approach, and consequently they are under-invested in secure infrastructure and often dependent on vulnerable legacy equipment and software that leave them massively exposed," Simon Crosby, CTO of Bromium, an endpoint security provider, told InformationWeek.

"Unfortunately there has been little motivation on the part of these vendors to improve their posture because the financial consequences of a breach are in fact quite small," he added. "For a long time there was a myth in the security industry that a lost customer record cost the enterprise $202 in penalties, but over the last year, due to the large number of breaches, this has fallen to $0.58 per record, according to Verizon DBIR 15, leaving the consequence of a poor security track record as being primarily brand/customer loyalty impact, and not immediately of financial consequence."

Where's the harm to your IT?

If a hacker gets a lot of personally identifying information from a retailer data breach, then lots of bad things can happen. For one, fake IDs become far easier to make, and identity theft becomes much harder to prove. That fake ID may help a terrorist board a plane or walk right past your company's security defenses in both the physical and virtual realms.

Think about it. How can you could possibly manage user identification and access to the physical facility or the database, if a thief or terrorist can so convincingly mimic every detail of an authorized user? How can you protect employees or company data if terrorists, hackers, and hacktivists can identify them so easily and know every detail of their lives?

It's clear that IT needs to take a more holistic approach to security, meaning a consideration of both the physical and the virtual realms as a whole, rather than to focus on the cyber aspect alone. The real and the digital are one in a hyper-connected world.

It is also advisable that corporations rein in their marketing departments to prevent excessive data collection and hoarding. Using "smart data," meaning data relevant to a defined business problem, is a better approach to driving decisions than is haphazardly collecting any data available. This approach also protects your company and the general marketplace and country too.

"In an almost counterintuitive way, effective defensive postures must be shared and refined with others who are similarly exposed to cyberattacks without regard to normal business competiveness concerns," Joe D. Whitley, the first General Counsel of the Department of Homeland Security, former Acting Associate Attorney General for the Department of Justice, and current chairman of Baker Donelson's Government Enforcement and Investigations Group, told InformationWeek.

"How to move governments and businesses to a collective defense mindset is the challenge we must meet to better protect America's economy and reduce the threat posed by cyberattacks from foreign governments and terrorist organizations, together with rogue corporations and individuals," he added.

**New deadline of Dec. 18, 2015** Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's application by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.

Pam Baker is author of Data Divination: Big Data Strategies, which met with rave reviews and is currently being used in universities as a textbook for both business and tech courses. It's also sold to business audiences in the general market. The US Chamber of Commerce and ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.