Data breach alert: Small retailers are especially vulnerable

If you're more worried about becoming a victim of a data breach at a big national retail chain than in your local mom-and-pop store, think again.

More than half of the small businesses surveyed by the Ponemon Institute in 2013 had experienced a data breach, while only one third had notified consumers that their personal information had been exposed. In the early months of 2014, a number of small retailers suffered data breaches. Some examples:

• In March, police in Fairmont, Minn., received more than 200 reports of credit and debit card fraud following the hacking of a computer in the local El Agave Mexican Restaurant.
• The same month, Uncle Giuseppe's Marketplace, a small Long Island-based grocery store chain, announced that its credit card database system at three stores had been breached by computer hackers outside the U.S., affecting customers who had shopped there in January and February.
• In April, a local resident in Salem, Ore., discovered 98 employment applications, loaded with personal information such as social security numbers and dates of birth, in a dumpster outside a Little Caesars Pizza store.

The retailers who were hacked weren't high-profile targets for hackers. They are typically discovered by cyber thieves' robots that scan the Internet night and day for websites with vulnerabilities, according to Robert Hansen, Vice President of WhiteHat Labs at WhiteHat Security, who has worked on investigations of breaches for many small businesses. And such vulnerabilites are all too common.

"Small businesses tend to not patch critical software," Hansen said, "They can't afford the expense of fixing things in the right way." To a small business, he adds, security is often more something that gets in the way than something that gets done.

Read more of our advice on how to protect yourself in the event of a data breach. And check our guide to online security for more tips.

A 2012 survey of 500 small businesses by The Hartford supports Hansen's observation. Eighty-five percent of the business owners surveyed said they believed a data breach was unlikely and many indicated that they weren't implementing even simple security measures to protect their customer data. For example, only about half said they shredded and securely disposed of customer, patient, or employee data.

To handle security well, small business owners should update systems and software regularly, use secure passwords and data encryption, and secure sensitive data. Most important, according to Hansen, they must learn to take security more seriously. "If you care, you'll do the right thing," he said.

What you can do

You can't force a small business to tighten its security. But you can give its owner a wake-up call by asking for a document showing that the business has undergone a security assessment by a third-party. Most probably won't be able to provide one, but any business that has done so should.

You can also keep your checking account from being siphoned in the event of a data breach by shopping with a credit card instead of a debit card. Limit the personal information you share with any business to just the minimum required to complete the transaction. And don't disclose your home address or telephone number unless absolutely necessary.

—Jeff Fox