THEY'RE COMING TO TAKE YOUR DATA HA HA!
(OR PERHAPS NOT!)
by Elaine Tyson and Roy Beagley.

Staples, Anthem, Target, TurboTax, J.P. Morgan, Chick-fil-A, Sony and Kmart, are just a few of the companies that have been recently hacked. A report in Time magazine says that ‘according to a Gallup poll, 27% of Americans say their credit card information has been stolen in the past year, and 11% say their computer or smartphone has been hacked.’

More and more consumers are pushed to enter private information online, quite often having no choice. As more and more consumers enter more and more information there are more and more hackers born.

It was not that long ago that paying a visit to any subscription fulfillment bureau would require you to walk through dozens of data entry people busy tap-tapping away on computers. They would be entering orders from bind in cards, letters, direct mail, renewals and all manner of requests. Now, the areas that used to belong to the data entry personnel are for the most part empty – they took up a great deal of space! Entering subscriptions online became such hot business both the AAM and BPA had to enter in a new classification line on their respective circulation reports as consumers were pushed to enter their own orders on line.

CONSUMERS SHOULD EXPECT TO BE HACKED.
The likelihood that your personal information will be stolen is high. So high that some companies are advertising on television and radio (and other media) urging people to “check your credit score” and subscribe to a company that alerts you every time someone checks your credit. So much so, the companies concerned in many cases pass the responsibility on to the consumer whereas we would have thought the company housing the data was at least equally if not more responsible.

SO MUCH DATA, SO LITTLE TIME.
2015 is hacker heaven. Never has so much data been handed over by so many to be sold for a goodly sum, by relatively few. There is a lot of data available and to access that data all you really need is a computer and a fast car in case the police arrive – which in most cases will not happen. Some of the data hackers are so innocuous it is nearly laughable. Is there anyone in the country who has not had a call from “Rachel at card services” or those annoying calls from someone, so far always Indian, claiming that my Windows computer is sending a signal? Considering how easy it is for data to be stolen, you would think things like the “Do Not Call” service would be more actively monitored, but it isn’t.

HOW SAFE ARE YOUR SUBSCRIBERS?

Our initial thoughts concluded in the belief that subscriber data held by bone fide subscription bureaus were, on the whole, pretty safe. After all, a subscription bureau lives or dies on its ability to control and manipulate data in an accurate and safe manner.

If your subscribers are paid, you probably hold a name and address, perhaps credit card details, or in the case of the United Kingdom, banking details required for direct debits. If your subscribers are controlled there is usually demographic data that hackers would find very useful to have. So how safe is your subscriber data? We asked four fulfillment bureaus from the east coast to the west coast to divulge some of the actions they take to make sure subscriber data are as safe as possible.

The first question we asked was ‘Are the publishers you deal with actively concerned with system security’ and all said their customers were into security in some form or another.


David Werner, Vice President of ICN (left, top) in Bristol, PA. noted that in many cases ‘they do rely heavily on the service bureau’ and this was confirmed by Bryan Swartz, Vice President, Client Services at Omeda (left, bottom) who said ‘there’s an expectation that the data is secured and that their data is only being seen or accessed by their team.’

Stefan Beeli, Principal and CTO of ESP also noted that many of their customers ‘undergo 3rd party (i.e. Deloitte & Touche) financial/security audits and require us to provide certifications such as PCI or SSAE16.’
We asked if the fulfillment companies actively test security on their systems and Diane Cuellar, President and CEO at Cambey & West (left) in Congers, NY said ‘Yes, as part of our PCI compliance requirements, we employ a third party vendor (on the approved list by the PCI Compliance board) to initiate external and internal penetration testing.  We also run internal and external vulnerability scans.’

This was echoed by ICN, ESP and Omeda with ICN noting ‘any new threat that is uncovered is dealt with first thing. In addition to PCI compliance and firewall protections, there are also various settings that can be tweaked at the individual customer credit card gateway level.  Most of the credit card gateways provide a suite of fraud detection tools that should be reviewed by the customer and the service bureau on a regular basis.’

Given the amount of data fulfillment bureaus hold we wondered if the fulfillment bureaus thought it likely hackers would try and get information from subscription fulfillment companies as they have done with other companies, Stefan Beeli (right) said ‘Yes. Absolutely. While we’re not a bank and don’t have as much sensitive/valuable information as a health insurance company like Anthem, we do have some valuable information.’ His view was supported by Diane Cuellar who noted  ‘Yes, every company can be a target. But when going after mega companies, the “reward” for getting at their data would be considerably greater for the same amount of effort expended.’

We wondered if some publishers had developed their own software or protocols relating to security and if so whether any of the bureaus used it in addition to their own security. As far as we could tell publishers rely on the security systems of the fulfillment bureau, rather than implement their own, or at least secondary levels of security. Bryan Swartz said ‘security measures taken at Omeda are global and benefit all clients equally.  When there is an enhancement or change to the security process all systems and database information for each client are updated’ a point of view echoed by Cambey & West, ICN and ESP.

Finally, we asked what publishers should do to make their data more safe. Stefan Beeli said ‘Use better security practices. Utilize secure ways of transferring data such as Secure FTP, and encryption. Even using a simple password and zipping a file is better than no security at all. Train your people not to share and/or send user ids and passwords via email. Keep your Anti-Virus and malware detection tools up-to-date.’ Diane Cueller agreed with Stefan and added ‘There are some simple steps to protect their lists’ noting ‘carefully seeding and monitoring list rentals’ is a good idea. Diane’s comments were echoed by David Werner of ICN who said ‘only collect data on secure servers that have the latest encryption, and take a proactive role in monitoring your service bureau's security standards.’ Bryan Swartz added ‘do not store the full personal account number in your databases or anywhere in the same network your databases reside in.  Storing the full PAN turns a low value target into a high value target.  And, make sure all credit card activity is not stored or is maintained in a different repository.’

PCI COMPLIANCE BOARD.
Everyone we spoke to mentioned PCI compliance, so what is it? The web site’s FAQ section supplies the answer. ‘The PCI Data Security Standard is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The PCI Data Security Standard is comprised of 12 general requirements designed to: Build and maintain a secure network; Protect cardholder data; Ensure the maintenance of vulnerability management programs; Implement strong access control measures; Regularly monitor and test networks; and Ensure the maintenance of information security policies.

CONCLUSION

As each day goes by there is yet another story in the news of someone, somewhere getting their sticky little fingers on stolen data. As consumers we have to be very pro-active in monitoring financial statements and credit scores, which in our opinion is something that should be standard on every financial bill received. There are web sites that claim they will supply your credit status for free, but nothing is free. As retailers, we have to make sure data is as safe as possible, and as Diane Cuellar said monitor how and who uses the subscriber data we have collected in addition to the security the fulfillment companies have implemented. One of the best ways to monitor your data is to be a part of it, so make sure you are seeded on everything from list rentals to direct mail– and subscribe to your own publication – the cost of a subscription could identify a problem early on and save you a great deal of work later.

Our thanks to Diane Cuellar, President and CEO of Cambey & West; David Werner, Vice President of ICN; Bryan Swartz, Vice President, Client Services of Omeda and Stefan Beeli, Principal and CTO of ESP for their assistance in this article.