There’s was an interesting set of data recently breached on the dark web. Business Insider reported about it here - Hackers Are Targeting Plus Size Women.

Apparently, DynaRisk (a security research company), found malicious hackers discussing the breached data in an online forum and it was hundreds of thousands of records on plus-size women. Not your usual set of information.

The criminals wasted no time and quickly began discussing ways to monetize this data. They could peddle fake weight-loss pills or lure the women to malicious sites with ads for great deals on plus-size clothing.

The hacker who stole the data is actually quite smart and not just because they’re a hacker.

This data isn’t just a set of random individuals - like the Equifax breach. This is a concentrated set of individuals that are all tied together because they’ve shopped at plus-size clothing stores. Because this data is tied to a pretty specific demographic it’s more valuable.

---

Why Is It Valuable?

Hackers know why - that’s why they keep breaking in and stealing data like this.

Legitimate businesses know why it’s valuable too. That’s why you can pay a lot of money for targeted data like this.

This set of data - people who have shopped at plus-size women’s clothing stores - is very specific. You know a lot about these people merely because they’ve shopped at these stores. You can infer even more about them too.

Marketers do this all the time. They determine a section of the people in the world who would want their product or service. The more specific they can be about these people - age, sex, interests, values - the better they can market their product or service to them.

This set of data is already very targeted, which is exactly what all advertisers are trying to get a hold of.

---

Why Should You Care?

Because your customers are at risk in the same way these people were.

Your customers use your business for a reason. It’s very likely you don’t market to the entire population, right? You have a target market as well. They have specific demographics, interests, values, etc.

Simply because your customers do business with you - this puts them at risk.

Malicious hackers, just like legitimate businesses, want your customer data - because they are your customers.

If they can steal your customer data, they can target your customers to scam them. Like legitimate advertising businesses, you have targeted data they can advertise to. The only difference is malicious hackers won’t buy it from you - they’ll steal it.

---

What Can You Do?

1. Collect as little info as you need
2. Protect it in transit
3. Protect it at rest
4. Back it up
5. Destroy what you don’t need

Collect As Little Info As You Need

I know, “need” is a relative term. How about - collect as little info as you need to provide the product or service to your customers.

If you operate a salon - do you need customer’s address? If it’s a brick-and-mortar salon, no. If it’s an online store selling hair products, you only need a shipping address.

Most businesses collect way more customer information than they need. And they put themselves, and their customers, at risk.

Any data you collect must be protected. It’s actually quite difficult to protect data, as we’ve been seeing with the many, many data breaches happening.

Start by making it easier on yourself. Only collect the absolute minimum data you need. When a malicious hacker gets in and steals it, you’ll be glad it was minimal - especially if/when customers start suing you or you get hit with a fine.

Protect Data In Transit

When you collect data, it moves from the customer to wherever you’ll ultimately store it.

Maybe it’s a piece of paper the customer hands you which you then you store in a (hopefully secured) filing cabinet.

Or maybe it’s a form your customer fills out on your website. The data then gets sent to a (also hopefully secured) database where it’s stored.

It could also be data you collect directly from the customer’s mouth that an employee enters into their computer. At some point, this data is transferred to a storage space.

The point is that data moves. When it moves, it needs to be protected.

Usually this means encrypting the data. We won’t go into details on that, but talk with your security team about how to adequately encrypt the data in transit.

It could also mean employee privileges. If you handle paper files or software that allows employees to look at customer data - how is that protected? Can everyone view customer information? Hopefully not. Usually you assign specific privileges to each employee and, if it’s electronic, give them their own account to access it. Don’t allow people to share accounts and enable logging so you know when data was accessed.

Protect your business, and your customers, by adequately protecting their data while in transit.

Protect Data At Rest

What does this mean?

If you’re familiar with databases and how we store data - it’s that. When you collect data, you store it either in the secured filing cabinet, a vault under a mountain, or a secured database - or any combination of these and other options.

While the data is sitting there, it needs to be protected.

This is often how malicious hackers steal data. It’s sitting on a database somewhere. They get access to the network - usually by phishing an employee or exploiting a software vulnerability - and make their way to the database. From there, once they have the right privileges, they can copy the data to a server they can access.

So wherever your data lives, it needs to be protected.

We understand this with paper data - secure the filing cabinet or maybe store it in a vault under a mountain.

Electronic data must also be secured.

• Encrypt it in transit, and while it lives in the database.
• Restrict user privileges so only those allowed can access the data
• Enable logging so you know when someone accessed it and if any was copied outside your network
• And definitely train your employees on phishing/social engineering, not sharing accounts, and keeping devices and software updated

Back Data Up

We all know this. Make frequent backups of your data and securely store them - preferably disconnected from a device and with offsite copies.

Create a backup process that happens regularly and ensure your backups are encrypted.

Do you have a recovery plan for restoring your systems? What about data being unavailable like data stored online when the internet’s down or finding out your data is corrupted? These are things to think about when creating a backup and recovery process for your, and your customer’s, data.

Destroy What You Don’t Need

This might be the hardest part for companies - especially when we try to define “need”.

Do you need all customer records going back 10 or 20 years? What about inactive customers?

There are many situations where you have to keep certain data. There are many more where companies keep data they no longer need.

If you keep what you don’t need and that data gets stolen, you have a bigger problem on your hands. More people to notify. More potential fines or legal fees to pay.

Take it off your plate. Create a reasonable policy for when to get rid of data and do it. It’s better for everyone if you do.

---

Sum It Up

Customers place a lot of trust in you and your business by giving you their data.

Don’t break their trust. Treat their data as the valuable thing it is and protect it.

Your business has valuable data whether you realize it or not - as this group of data breached from plus-size women’s clothing retailers shows. You have something malicious hackers want, so do what you can to protect against their attacks. Start with some reasonable data policies on collection, encryption, transit, backups, and deletion.

It’s not easy to do, but if you collect data, you need to develop your own unique plan to protect it.

Your customers depend on you to get it right.