Chipotle, Kate Spade, Bevmo Consumer Data Exposed in Latest Breach

For consumer goods and retail companies, data privacy is critical to earning and keeping consumer trust — an imperative to survival in these extremely competitive landscapes.

Shoppers are increasingly leveraging their access to more technology to make their path to purchase more efficient; however, that same technology is also making them more aware of data privacy issues than ever before. As such, the implications for those organizations that encounter a data breach can be massive.

Additionally, those brands that need consumer behavior data in order to operate also have to rely on third-party organizations, extending the need for a strong cyber security posture beyond just its four walls — as demonstrated in the latest "snafu" as reported on by Infosecurity.

The incident included data extracted from Chipotle employees’ mobile phone for tracking, a spreadsheet containing the home addresses of 700,000 Kate Spade customers and 3.5 million loyalty card accounts for beverage retailer Bevmo, including physical address tied to each account.

Security company UpGuard found a misconfigured Amazon S3 bucket on Feb. 3, which was eventually traced back to market analysis company Tetrad. The publicly exposed cloud database contained the personal data and behavioral profiles on 120 million Americans.

In addition to the aforementioned retailer data, the database also featured 10GB of data from the Experian Mosaic consumer behavior product, which UpGuard discovered contained 130 million rows of this information (including addresses, names, gender, etc.).

According to Infosecurity, “Companies like Tetrad use this information to map consumers ascribed to various Mosaic categories by buying behavior to their geographical location, so that when retailers want to build a new store, they know to do so close to clusters of potential customers.”

Tetrad is said to have finally closed access one week after first being notified.

“Digital technology does not just enable the accumulation of behavioral data; it also makes possible the unintentional exposure of that data en masse. In this case, multiple data sources, from other companies’ data products like Experian Mosaic to retailers’ customer loyalty programs, were combined in one storage bucket that was misconfigured for public access,” concluded UpGuard.

But while maintaining consumer trust is paramount, it doesn’t mean that a company’s reputation is irreversibly tarnished when breaches occur. Data breaches haven’t historically caused catastrophic boycotts of the brands responsible for exposing their data, cyber law and data privacy speaker, Jamal Hartenstein, told CGT.

Instead, reputational damage comes from the media fallout surrounding the breach, which ultimately impacts the company's B2B relationships. This can also have a negative effect on the company’s cybersecurity insurance premiums and stock prices, with the brunt of the damage stemming from Federal Trade Commission-imposed fines and 20 year consent decree orders that most organizations agree to in lieu of long costly litigation, he said. 

Protecting large sets of consumer behavioral data can become challenging when traditional protections such as encryption ruin business intelligence and big data analytics that rely on processing data in cleartext (unprocessed and unencrypted data). 

“An excellent way to extract value from huge datasets of consumer behavioral information is to use predictive analytics on purchase decisions and location-based spending,” he said.

As companies grapple with evolving consumer data protection mandates, such as the California Consumer Privacy Act (CCPA), firms that adhere to a security framework can not only mitigate their risk but secure a competitive advantage as well.

“Consumer goods companies and retailers can begin turning cybersecurity into a competitive advantage by shaping the culture of how their target markets of consumers think about their own data privacy, and then boasting how their company secures it well,” said Hartenstein. “Ultimately, the company using cybersecurity and data privacy as a competitive advantage will have to live up to its publishing.”