By Sheryl S. Jackson

Online payments, customer portals, and the digitization of customer records have improved the customer experience in many businesses. But, the risk associated with collecting all of that personal and financial data is real.

In fact, 2018 is the second-most active year for data breaches with more than 6,500 data breaches reported worldwide, according to a report by Risk Based Security, a data security company.1 This represents a 3.2% decline from 2017, but more than six in 10 of the breaches exposed email addresses and 57% involved passwords. Social Security numbers were exposed in 13.9% and credit card numbers were involved in 12.3% of the breaches, according to the report.

Although the mega breaches that expose millions of records gain the headlines, the majority of breaches affected 10,000 or fewer records. This is an important statistic for car wash owners to keep in mind because cybercriminals do not just focus on the largest organizations or companies that have high ticket items, said John Stengel, CEO of JCSM Group. In fact, car washes make an attractive target because they are low dollar, high volume businesses versus high dollar, low volume retailers, he said.

“Car washes are actually a bigger target because they are collecting and storing information on many more customers than a high-end retailer,” Stengel said. “Car washes in high income geographic areas are important targets as hackers look for platinum, gold and other high credit limit cards that sell for higher prices on the dark web.”

Don’t assume that the third-party vendor handling the transactions or providing the payment software will be liable for costs incurred during a breach. “Only vendors who actually store the information are liable, and many technology companies providing software and services are not storing the information,” Stengel said. In fact, car wash companies that offer customer portals to collect payments for wash clubs and allow customers to save payment information are likely to be liable for the information because it is saved on their networks.

In 2014, a credit card breach at six Splash Car Wash locations in Connecticut affected 1,400 customers. The malware causing the breach was removed quickly and the company took steps to notify customers.

According to Splash Car Wash CEO Mark Curtis, the breach taught a valuable lesson in customer communication. “If you have a data breach, deal with it quickly and be proactive with your customers in notifying them and telling them what happened, what you’ve done to protect them, what they should do to protect themselves, and what you’ve done to protect them going forward,” he said. “We set up a hotline, which we staffed internally, to answer any questions or concerns customers had and fielded approximately 185 calls over the first five days.” They also consulted with a public relations agency for guidance on how to ensure that Splash Car Wash’s reputation in the community was not tarnished by the breach.

While Splash Car Wash was hit with a malware attack, but there are a number of other way data can be breached. Insider threats, data in transit, physical theft, human error, accidental web/internet exposure and unauthorized access can all come in to play.

The best way to protect data in your company – both operational information and sensitive customer and employee data – is to take a comprehensive approach that accounts for both technology and human behavior.

Identify Potential Risks

A first step to protect data in your business is to undergo an audit by a third-party cybersecurity expert who can identify the points in your network that are susceptible to hackers. “Car wash owners who think their business is too small to be a target have to remember that the volume of transactions they handle each day or week makes them an attractive target,” Stengel said. “Car wash companies have also been exempted from the earlier deadlines for adoption of chip readers in their payment stations, so they are especially susceptible to placement of skimmers on the stations to capture credit card information as the customer pays.”

According to Stengal, stations that read magnetic stripes versus chips on cards are more vulnerable because the credit card information is not encrypted or tokenized at the same level. This threat will be minimized as car washes and gas stations meet the October 2020 deadline for acceptance of credit cards with chips.

Following the audit, the cybersecurity company should provide a mitigation report that identifies weaknesses that must be addressed. This might mean adding technology such as firewalls or breach detection tools, and it might also include adoption of new policies and processes designed to limit access to information to only those employees who require it to perform their jobs, limiting the amount of personal information stored on company network, enhancing employee training, and strengthening encryption for all data at rest and in transit.

“The number one mistake we’ve seen with businesses that we’ve audited are improper firewalls,” said Stengel. “Purchasing a firewall from a retailer or relying on an internet provider to provide the firewall does not get you the level of protection that a business needs.” A properly configured firewall does not simply block unwanted intrusions, but also detects attempts to breach the firewall and notifies the business of the attempt.

Employee Education

Teaching employees how to recognize potential threats to data security and identifying proper steps to take when an incident occurs is the first line of defense for companies of all sizes, said Richard Harris, chief technology officer for DRB Systems. Employees at DRB receive security training awareness upon hiring and an additional in-house security training session 30 days later. Each employee also completes an annual data security training session throughout their employment.

Included in the training are explanations of all policies and processes, including password protocols – such as not writing a password on a piece of paper kept under the keyboard – and email protocols designed to prevent external access via a phishing attack.

Employees are made aware of “red flags” that might indicate a phishing email, such as a sense of urgency, a request for sensitive information or an attachment or link that takes the recipient to a different website. “We also warn employees to be cautious if they receive an unexpected email even if it appears to come from someone they know,” said Melanie Carter Spohn, an information security analyst at DRB. “We had four employees targeted by a phishing attack with an email that looked legitimate because it appeared to come from an external partner with whom we work,” she said.

According to Harris, the presence of technology and several layers of protection for the network are important even with a strong employee education program. “The creativity and sophistication of these phishing attacks continually increases, which makes it difficult to identify them,” he said. “It is important to have a firewall and tools that stop the attacks before they happen and notify you of attempts to breach.”

Policies and Processes to Prevent Breaches

In addition to making sure that passwords are publicly displayed or easily accessible by other people and that email security protocols are understood, the company needs to look carefully at who can access data and limit access to specific needs for specific jobs, said Carter Spohn. In addition to establishing access parameters, be sure that there is an audit trail, or log, of access to different databases to support an investigation if a breach occurs.

Employees should also follow a policy of checking payment stations regularly each day to look for devices designed to “skim” or collect a customer’s credit card information when they insert the card into the payment slot, said Stengel. Teaching employees how to identify the devices and actions to take if one is identified is one way to reduce this risk.

Stengel also points out that “there should also be a clearly defined plan of action if a breach occurs that addresses reporting activities – who should be notified, how and by whom, communications plan to reach out to customers, and identification of all parties that should be included in the investigation.”

There is no way to prevent – with 100% certainty – that your data will stand up to a skilled, persistent hacker. The risk is real. But, there are ways to ensure you can get your business back up and running with limited down-time, while also protecting your reputation, your finances and your trustworthiness with your clients.