The Data Breach Next Door

Security breaches don't just hit giants like Equifax and Marriott. Breaches at small companies put consumers at risk, too.

thief stealing data Shout

Chocolate can melt,” Allyson Myers, head of sales for Lake Champlain Chocolates in Burlington, Vt., says with a laugh. “Normally, that’s what passes for an emergency here.”

But in September 2017, the family-owned confectioner found itself immersed in a different kind of crisis. The company suffered a data breach in which hackers stole names, addresses, email addresses, and credit card information for some of its customers.

Data breaches were in the news that month. Just days earlier, Equifax, one of the world’s biggest data brokers, had suffered a major loss of data.

The Equifax breach exposed the data of 148 million users. Lake Champlain Chocolates’ breach? Just 90.

But for the individuals whose information was compromised, the consequences weren’t so different.

Once their personal data is stolen, consumers are more vulnerable to crimes such as identity theft and spear-phishing emails that can trick even cautious people into revealing credit card and Social Security numbers, along with log-in credentials for social media or bank accounts.

More on Digital Security and Privacy

Lake Champlain Chocolates moved quickly to address the incident. “It was very isolated, but we needed to take it seriously,” Myers says. The company patched the software vulnerability that made the breach possible. Then Lake Champlain Chocolates mailed a letter to each of its affected customers offering help from an outside security consultant in reviewing their credit files.

The company also reported the incident to Vermont’s attorney general, along with the attorneys general of Maryland and New Hampshire. Those states require notification if it’s likely that any resident’s information has been misused. “We hope to make this right,” read the letter by Andrew Manitsky, the company’s attorney.

However, that kind of swift action in contacting both consumers and law enforcement is unusual, security experts say.

“There’s almost zero incentive to report this stuff,” says Casey Oppenheim, CEO of Disconnect, a cybersecurity firm that often partners with Consumer Reports on projects that test security and privacy. “So most small companies don’t.”

Breaches Behind Closed Doors

Huge data breaches, like the ones at Equifax in 2017 and Marriott’s Starwood hotels in 2018, can each affect hundreds of millions of people. But added together, small incidents might pose an equally big problem for consumers.

Privacy Rights Clearinghouse, an advocacy group, maintains a database of breaches going back to 2005 that lists 8,980 incidents. Of that total, 8,448—or 94 percent—affected fewer than 100,000 consumers.

Yet in total, nearly 50 million consumers were caught up in these smaller incidents. They include everything from hacks (such as the Lake Champlain Chocolates event) to “unintended disclosures,” in which potentially sensitive information was accidentally posted publicly, mishandled, or sent to the wrong party. Unintended disclosures account for roughly 20 percent of all the breaches in the PRC database.

(This past fall, Consumer Reports notified 251 people in our 36 million member records that their payment card number may have been inadvertently printed in the name or address line of their mailing label because of a technical error. When we discovered the error, we immediately worked to investigate how it occurred, assess and correct the cause, and put measures in place to help make sure it doesn’t happen again. Consumer Reports believes that high standards for data privacy and security are critical, and we apply those same standards to ourselves.)

PRC’s information is drawn from government agencies and news reports, and the group says that many unintended disclosures and small data breaches remain hidden. “We don’t really know how many small data breaches there have been,” says Emory Roane, PRC’s policy counsel, “but the number of victims is much, much higher than 50 million.”

Statistics don’t matter much if your personal data has fallen into the hands of cybercriminals.

“We talk to victims, and in their experience the size of the data breach is completely irrelevant,” says Eva Velasquez, president and CEO of the Identity Theft Resource Center, a nonprofit that helps data breach victims. “They’re in the same boat whether they’re 1 in 1 million or 1 in 10,000 or only 1 in 10.”

One thing that does matter is hearing about a data breach quickly. That alerts consumers to keep a tight watch on credit card bills and suspicious emails. It can prompt them to change passwords and freeze credit reports. And notifying officials can help them catch cybercriminals and warn other businesses of emerging dangers.

“If consumers don’t know about a breach because it wasn’t reported, they can’t take action to protect themselves,” Oppenheim says.

Why Small Businesses Get Hit

“Small businesses are low-hanging fruit for hackers,” says Candid Wueest, a threat researcher at the security-response firm Symantec.

A local retailer may hold the same kind of valuable consumer data as a Fortune 500 company—and face the same hackers armed with the same software tools. Cyberattacks are often automated, hitting many servers at once, and so hundreds of small businesses may get caught up for every one major company that’s affected.

And these businesses have fewer defenses. “It’s an unfair fight,” Wueest says. “Small companies don’t have a dedicated chief information security officer to combat hacking, just an average Joe who looks after the printer.”

A small business breach can often be traced to simple stuff. For instance, Lake Champlain Chocolates failed to install a software update on the day it was released.

But hackers can also apply a human touch through social engineering. If an employee responds to a phishing email—an urgent request that seems to come from the CEO, or a file that appears to be a sales report—the entire business can be compromised.

A Failure to Report

Steve Stasiukonis can hear the panic in their voices. The calls come to the infosecurity consultant a few times a week, when business owners discover—often from their customers—that they’ve been hacked.

The panic usually subsides, Stasiukonis says. But tensions can rise again when it’s time for what he calls the “uncomfortable conversation.”

Stasiukonis was recently contacted by a church that had fallen victim to an attack that compromised congregant data. He urged the pastor to reach out to the congregation and law enforcement officials.

But the pastor pushed back. “Our parishioners give us money, so it’s not like they’re buying something from me,” he argued. After that, the church cut off contact with Stasiukonis, and as far as he knows, kept the breach quiet. The experience wasn’t unusual, he says.

The up-front costs of responding to a data breach can run into the hundreds of thousands of dollars once you factor in lawyers and services such as credit monitoring for consumers. Meanwhile, sales can slow down or grind to a halt while the company struggles to get the situation under control.

But the biggest problem comes later. “Not bringing in new clients because your reputation is tainted, that’s what leads to companies going out of business,” says Nikolai Vargas, chief technology officer for Switchfast, an IT service provider in Chicago that works with small businesses.

According to a 2017 study by the Better Business Bureau, a data breach could render more than half of all small businesses insolvent within a month. That rarely seems to happen with large companies: Equifax, Home Depot, and Target took publicity hits after their data breaches but then recovered.

Small Data Breach Solutions

What can be done about the epidemic of small data breaches? Experts say you can protect yourself by limiting the amount of data you provide and taking steps such as freezing your credit and maintaining strong, unique passwords for each online account. Act as though you’ve been involved in a data breach even if you haven’t been notified of one. (For tips, read “7 Steps to More Data Security.”)

Nationally, consumer advocates and security experts are calling for legal reforms. “Security laws in this country are relatively weak and provide insufficient incentives for companies to take data security—and data breach notification—seriously,” says Justin Brookman, director of consumer privacy and technology policy for Consumer Reports.

All 50 states have data breach laws, a number of them passed within the past year. However, Brookman says, the provisions vary widely and enforcement is uneven.

One guidepost for new and more effective privacy laws could be the Health Insurance Portability and Accountability Act, or HIPAA, which requires medical facilities to safeguard patient confidentiality and promptly report any data breach. HIPAA has its shortcomings, but experts agree that doctors and hospitals take the data protection provisions seriously. HIPAA violations can result in large fines or the blocking of Medicare reimbursements. The most serious violations can land individuals in prison.

That could be why medical data breaches account for 46 percent of the small incidents captured by the Privacy Rights Clearinghouse database.

Even small healthcare incidents get reported. One record shows that on Nov. 30, 2017, a laptop bag containing a backup hard drive was stolen from a dentist’s office in Albuquerque, N.M. Much of the data was encrypted, and the risk of the thief accessing it was very small. Nevertheless, the office followed HIPAA requirements by informing both patients and the authorities.

Small businesses aren’t all waiting for stricter laws to tighten their digital security. Lake Champlain Chocolates has come to realize that it’s not just in the truffle business. It’s in the data business, too.

“We started out as a mom and pop making candy, but being in business today requires a different level of sophistication,” Myers says. “Consumer privacy and data security—we have to take them as seriously as the chocolate that we love.”

Editor’s Note: This article also appeared in the March 2019 issue of Consumer Reports magazine.

You’ve Been Hacked

Have you experienced suspicious activity on your online accounts? On the "Consumer 101" TV show, Consumer Reports expert Thomas Germain explains how to take back control of your digital privacy.

Allen St. John

I believe that technology has the power to change our lives—for better or for worse. That's why I’ve spent my life reporting and writing about it for outlets of all sorts, from newspapers (such as the Wall Street Journal and the New York Times) to magazines (Popular Mechanics and Rolling Stone) and even my own books ("Newton’s Football" and "Clapton’s Guitar"). For me, there's no better way to spend a day than talking to a bunch of experts about an important subject and then writing a story that'll help others be smarter and better informed.