Retailers face tough sell over data collection technology
We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.
When entering a store, many consumers are unaware that they may be monitored by facial-recognition cameras, Bluetooth trackers, smart sensors, self-service tills, smartphone apps and other data collecting technologies.
While retailers harness these systems to better understand their customers and improve the in-store experience, data collection — and its security — can be controversial and present risks.
Such data collection is often invisible to the customer, says Vlad Iliushin, team lead of the Internet of Things lab at Avast, a cyber security company. “They’re unaware it’s taking place and, importantly, aren’t presented with an ‘opt-in’ option for tracking and data processing upon entry.
“There is no ‘do not track me’ checkbox in physical stores, meaning HD cameras, WiFi and Bluetooth trackers used to monitor customer behaviour have free rein to do so,” he says.
Mr Iliushin cites a real estate company in Canada that installed cameras inside digital information kiosks at 12 shopping centres, collecting millions of images and using facial recognition technology without customers’ knowledge, according to a probe by authorities.
As well as permission, there is also the issue of security. Almost half of UK businesses suffered a cyber security breach or attack in 2019, according to statistics from the UK’s Department for Digital, Culture, Media and Sport, and failure to secure customers’ data can result in hefty fines.
“Store networks and point-of-sale systems, both of which were once harder to gain access to than simply robbing the store, are now recognised as high-value targets for financial gain and theft of customer data,” says Michael Borohovski, director of software engineering at US software group Synopsys. “There are a number of ways in which this could be possible — from software flaws to vulnerabilities that may allow attackers to gain additional access or escalate privileges. This is just the tip of the iceberg,” he says.
“Near-field communication (NFC), which is a technology often used for contactless payment, and radio frequency identification (RFID) tags, which are often used for inventory management and tracking, can be read and overwritten.”
Countermeasures include strengthening internet security, installing updates, using offline solutions where possible, creating strong passwords and giving staff access to password management apps, he says.
Vanessa Barnett, technology and data partner at London-based legal firm Keystone Law, warns that data security threats are increasing as retailers adopt IoT devices. “Whether the retailer is installing augmented reality to see how clothes might look on you or handheld scanners to reduce queues at tills, they collect huge amounts of personal data to make them effective and this also makes them incredibly attractive to cybercriminals,” she says.
If a retailer falls victim to a data breach, the repercussions can be significant. DSG Retail, the owner of Dixons Carphone and Currys PC World, was fined £500,000 by the Information Commissioner’s Office, the UK’s data protection regulator, after a point-of-sale system breach exposed the personal data of 14m customers.
Fines under the General Data Protection Regulation, the EU’s rules on data protection, can reach €20m or 4 per cent of annual global turnover, whichever is greater. “Even for large retailers, getting it wrong could have a huge financial impact,” says Ms Barnett.
IoT devices leave retailers more vulnerable to hacking, says Mark Weir, UK & Ireland director of cyber security at US tech group Cisco. “If you’re a large retailer with stores — each with a big number of connected devices — you’re providing opportunistic cybercriminals with many different entry points into hacking your business,” he says.
It takes just one vulnerable device being compromised by someone who has hacked a store’s guest WiFi network for there to be implications, especially if they access customer data, he warns. “After all, the greater the details of an individual, the more valuable it would be for selling on within a black market or using to hack unsuspecting victims personally.”
He advises retailers to keep all IoT devices on self-contained networks to limit the damage of potential breaches and invest in technologies built to withstand cyber threats, instead of cheaper alternatives.
With human error resulting in 90 per cent of UK data breaches last year, according to cyber security company CybSafe, retailers must also ensure their staff are trained in the security aspects of the IoT products used in their businesses, says Sally Mewies, a partner and head of technology at international law firm Walker Morris.
She says companies must have mandatory data protection training for staff. “It is vital to make sure that IT policies and standards are up to date and relevant and . . . that third party suppliers observe these,” she adds.
When using IoT technologies, retailers should take a privacy-by-design approach so that encryption and data housing are included from the beginning, says Mike Zachman, chief security officer of Zebra Technologies, a retail technology provider.
He says: “Any business handling customer data needs to take a proactive approach to data security and needs to treat the privacy of customer data in the same way they would treat other critical requirements of the business.”