Small Business Data Stupid and Liability Blind!
Discover how small businesses are exposing credit card information for telephone orders and not even realizing it.
Just because something has not happened before does not exclude you from liability. As they say, ignorance is not a defense.
When I was in law school, I got to learn all about the legal doctrine of “reasonably foreseeable,” which means was the resulting action likely due to the actions you took or didn’t take. This creates a challenge for many small business owners. But let me explain with a real-life story.
I was recently on a food tour, and this took us in and out of many small restaurants to sample their food. When you become cybersecurity aware, you start to notice a lot of risky things.
For example, have you ever wondered how your credit card number gets stolen?
You know when the bank sends you a new card every for months, and you can not work out why. Well, it’s because businesses are exposing your credit card and putting you at risk. The bank identifies this risk and automatically replaces your credit cards to reduce their liability.
Financial crimes are a domino of stupidity and negligence. And as a business owner, you may not be aware of your liability, or how your employees are putting you at risk. For example, if you process credit cards, there is PCI compliance. This is the process of handling credit card or payment information securely. However, many small businesses don’t train their employees on PCI compliance and how to protect themselves from exposure and liability.
We have all heard the stories of credit card skimmers, but this story doesn’t have anything to do with that. This example actually required no technology to compromise your credit cards from phone orders other than your smartphone camera.
Let me explain. While I was on this food tour, one of the locations was a Pizza restaurant, and I had a salad handed to me. I noticed someone on the receipt stapled to the bag that no-one really noticed. It was the full credit card number, with expiry and CVV on the receipt stapled to the bag. See the image below. I have blurred out the credit card to protect the cardholder.
Then I did what all ethical hackers do. Check all the other bags that had orders for pickup, and I noticed the same thing. Then I watched what has happened. As part of the telephone order, they would collect the payment details of the person ordering. For some reason, how the staff was entering the information into their computers was printing this data onto the packing slips.
This poses a lot more questions like:
- Is this information then stored securely?
- How long have they been collecting orders this way?
- Does their POS not store credit cards securely?
- How many credit cards are stolen from this location?
- Is this intentional?
- If a 3rd party vendor set up the system, how many others are doing this without knowing?
As you can start to see from this example, this is a simple, but a stupid mistake that’s exposing the business owner to massive liability because it gets worse.
I noticed every few minutes. Some random gig-based delivery person would walk into collect their pickup order to deliver around town. Just think about this for a second. This business is sharing a person’s credit card information with complete random that was not authorized. The gig-based delivery driver only needs to take a photo of the receipt every time they pick up to have valid credit card information.
Would the person notice a few other small transactions on their statement?
If there was someone of malicious intent, they could make a list of this from a few shifts and sell them on the dark web. They could also use them at various locations online to order products.
Let me phrase this another way. Would you trust your uber or lyft drivers with storing your credit card information and your contact information directly?
You might be shocked, but this is common practice, and many small businesses don’t realize the liability or the mistakes they are making here. Many small business owners don’t understand the value of the data they are storing and that customer data is their real business asset.
Now the big question becomes. Were the actions the small business owner took or didn’t take reasonably foreseeable that the credit cards could be compromised? Does printing the credit card information on the packing slip equal negligence on the business owner’s part?
DISCLAIMER: I’m not your lawyer; this is not legal advice; this is just the opinion of a cybersecurity specialist who helps business owners reduce their risk of cyberattacks and protect their digital assets. It’s recommended that you always review your systems regularly to ensure compliance.
Gain the Hacker’s View of your Cybersecurity Risk in Seconds with your Free Cybersecurity Assessment!
Discover How Hackers Exploit Your Business… If you had a no cost quick and easy way to check the safety of your business from cyber-attacks, would you do it?
Helping Business Owners start conversations about their cybersecurity culture. Cybersecurity does not have to be like chasing Bigfoot. Quantify your cybersecurity risk and instantly understand your vulnerabilities with ChatFortress Cybersecurity Report Cards.
Discover Your Cybersecurity Risk in Minutes for FREE!
Nothing to Install, Nothing to Download, Anyone Can Do It!
Enter a website URL below to claim your report card instantly!
Your Cybersecurity Report Card will be automatically generated within seconds… tell us your website URL and let us amaze you!
Who is ChatFortress
ChatFortress is a leading cybersecurity company helping business owners protect their assets from cybercriminals. We provide companies with access to the latest technologies, social engineering and human behavioral strategies, and user education to create a proactive cybersecurity culture. Helping you fortify your business against cyberattacks.
Detect and Remove BAD Emails in 3 Seconds!
ChatFortress Email Guardian is the Ultimate Anti-phishing Program as it Detects and Mitgates Email Phishing Attacks in 3 seconds using A.i Real-Time Inbox Scanning for Phishing Prevention!
We support Small Business and have released the Small Business Cybersecurity Scholarship Program.
Providing Small Business with enterprise cybersecurity protection without the enterprise price tag! You can save over $699/month if you qualify for one of our Small Business Scholarships.