ICO Figures Show Retail Sector Consistently Fails to Protect Customer Data

Auriga Consulting Ltd (Auriga), the expert data, ICT and security consultancy, today revealed that more than 500 complaints and concerns were raised over potential data breaches in the retail sector over the course of the past year. Of these, 312 cases classified as generic breaches of which 156 were classed as breaches of the Data Protection Act (DPA) (from April 2014 – March 2015).
According to a Freedom of Information Act (FOIA) request submitted to the Information Commissioner’s Office (ICO) in April, the top three causes of generic breaches were DPA compliance and a request for assessment from the ICO (136 cases), subject access (72 cases) and disclosure of data (33 cases).
The number of breaches occurring on a monthly basis, averaging 13, suggests the sector could be doing more to protect sensitive data. Ecommerce and mcommerce are both seeing retailers stretched thin and a lack of good data hygiene, such as the way data is created, stored, processed, shared and destroyed, is exacerbating the situation. In addition to improving data care, retailers also need to begin to take a more proactive stance in helping customers adopt good security practices.
The retail sector currently ranks as 15th in the Data Breach Trends analysis published by the ICO (as of 28 April 2015).
James Henry, Consulting Practice Manager, Auriga, believes the reason breaches continue to occur, with some of the biggest names in retail numbering among the offenders, is because there is still a disconnect between good security practice and the board: “The consistent number of DPA breaches indicate the message still isn’t getting through despite numerous high profile incidents over the past year. Retailers are not doing enough to protect the data entrusted to them by their customers. Data protection is an organisation wide legal obligation. Any compromise is likely to see an erosion of customer confidence and cause damage to the reputation of the company. So it’s vital the board gets involved and deals with the protection of sensitive data as a matter of urgency.”