Direct-to-consumer data security: Lessons from the trenches

WCBN-53-2-Direct-to-consumer1by Steve Wagner
“If you’re like me,” said eCellar founder and CEO Paul Thienes, speaking at the latest edition of the Eastern Wine Expo, “I thought we were insulated to protect ourselves from a breach. I’m here to tell you that it turned out to be a false sense of security. I’ve been running my company, Missing Link Networks, for approximately 18 years.” During that time he has been serving mainly wineries in the Napa Valley with eCellar, which he describes as “the largest and broadest, deepest software platform in the wine industry.” They help to unify staff in the wineries, in different departments, unifying different systems all into one so they can operate from one database where “all staffers are on the same page.”
“On May 13th, 2015,” he said, “I thought it was all going to go away. The smoking gun I found that day was a file on our servers that gave proof that our defenses against hackers failed. We had been breached, and we didn’t know how much data loss had occurred, and still don’t. But we feared the worst.”
Through their own internal forensics, they discovered how the hackers got in and what they had access to. They promptly alerted Secret Service, contacted a security firm, and secured a legal team in Washington D.C. to help them navigate all the actions required of them as a service provider to notify their clientele. They notified their clients of the breach, and the clients, in turn, had to notify their customers. “Within days, our clients sought their own legal counsel to help them correctly notify those customers; there’s a very specific protocol that has to be followed to notify people of a data breach of this nature.” Thienes wanted to make sure those consumers who might have visited multiple clients of his received multiple notifications which were consistent across brands — which numbered about 70. In other words, the wineries didn’t want to have consumers receiving one notification that said one thing getting a different one from another winery.
It was a valid concern. About 250,000 consumers were potentially affected by the breach and 400,000 credit cards were at risk. And Thienes’ own projected loss is nearing a half a million dollars.
As to how eCellar is doing, post-breach, on average, he said, “we’re seeing statistics that they lost about 1 to 2 percent of their wine club, specifically because of the breach. That means that 98 percent of the cancel reasons for wine clubs are for reasons other than the data breach.” Thienes also notes a 1 to 2 percent blowback from notified consumers, mostly positive messages, like ‘thanks for the notification; by the way, I need more wine.’
In working with the credit card brands, Thienes sent all exposed credit cards to the four major players – VISA, American Express, Discover and Master Card. “They did not reissue cards, which we were afraid of. That is very costly. Typically, it results in fines to meet the service provider, or can result in fines to the actual merchants who would probably come after us. This is a very low to no fraud event.”
The risk is very real today for data breaches. Thienes has come up with seven categories of hackers and the relative dangers they present:

  • White hat hackers – These are the good guys, usually hired by companies to do penetration testing to make sure your network is secure. They are paid money and do it ethically; they do not harm your data if or when they get into your systems.
  • Black hat hackers – True villains. Very aggressive ones who outpace white hat hackers. Always seeking the paths of least resistance…and finding them, due to human error and laziness.
  • Script kiddies – Novices who access hacking libraries and launch their own hack attacks. Often they have no idea what they are doing, hence their name.
  • Hack-tivists – Those who hack other systems for religious, personal or political gain. Often teens that want to try to hack into the local car wash system.
  • State sponsored hackers – A growing threat. Thienes strongly suspects one of these is responsible for his breach. As far as he can tell it likely came from Vietnam, but he never found out for sure. Such people are sponsored by their governments who have unlimited wealth to put toward hacking.
  • Spy hackers – Corporations hire these hackers to get trade secrets.
  • Terrorists – These are the most dangerous. Hacking into the flight system of an airliner, for example, which has already been done. Anything is possible here.

Meanwhile, credit card companies are honing their defensive techniques. Thienes discussed emerging technologies, what are now known as the three pillars of credit card security. “The major card brands, especially VISA, are forcing three things upon the industry,” Thienes says. “And everybody follows the 800 pound gorilla. Tokenization is the first thing. This takes the actual credit card number, also known as the PAN (Primary Account Number) and genericises it into a random string of characters. The actual credit card data is securely stored in a level 1 provider token vault. What’s great about this is that the card on file basically becomes a token on file. So even if you are a provider that has tokens, and have implemented tokenization, if they get hacked, the hacker will get tokens, which are worthless. They are not usable. The second pillar is EMV. All of us are getting brand new shiny credit cards in the mail with chips on them.” This is a whole new ballgame because there is a whole little software engine that runs on that chip. More and more merchants, especially the big guys, are deploying EMV (Eurocard, MasterCard, VISA). This is solely about reducing on-site card present fraud. The card machines are now consumer-facing: it is not necessary to hand your credit card to the worker where they swipe the card. Instead, you actually have the machine in front of you, facing you, and you insert the card. This is a huge shift from an operations perspective because one of the things that is very prevalent is the swipe scanner. When you visit an ATM, for example, there may be what is called a ‘skimmer’ which actually skims the track 2 data from the credit card. Suddenly, someone can actually print your credit card and use it. EMV helps to eliminate that.
The third new pillar of security is Point-to-Point Encryption (PtoPE), which encrypts the actual card data. “If this is connected to a computer,” says Thienes, “and that computer is riddled with malware, it’s been hacked, it’s being used to hack other systems, or maybe it has been taken over and you don’t know it yet, it doesn’t matter. When you use the EMV or swipe the card using this device, the card gets encrypted at that hardware level. It cannot be intercepted on its way to the merchant processor.”

Leave A Comment