To the money managers at Silversage Advisors in Irvine, it seemed like a no-brainer to store backup computer drives far from the main office to ensure seamless operations in case of a calamity.
Then professional burglars hit the home where the drives were kept, cracked open a safe bolted to the floor and made off with the financial records of hundreds of the firm’s affluent clients: names, addresses, Social Security and driver’s license numbers, account information.
The lesson for Silversage and other small businesses is simple, said Daniel D. Sands, a managing partner at the firm: “It’s not a question of if you’re going to have identity theft. It’s a question of when — and are you prepared to deal with it?”
The big data breaches make headlines — such as the millions of consumers whose financial secrets were exposed by the Target Corp. hack and the Heartbleed software bug. But for every high-profile case, there are dozens of threats to confidential data held by everyday enterprises: wine shops, dentist offices, colleges, gay and lesbian community centers, makers of dog tags, defense electronics, sports gear.
The examples are culled from a list of breaches maintained by the California attorney general. They expose an underside of U.S. commerce populated not only by omnipresent hackers, but by thieves who snatch office computers, disgruntled vendors who use purloined data to slander businesses and poach employees, and ex-employees who turn traitor for profit.
All private enterprises and government offices are required to alert potential fraud victims in such cases. If more than 500 Californians are affected, the institution must give the attorney general’s office a copy of the advisory letter sent to potential victims. More than 380 of these letters have been posted since the program began in January 2012 — which equates to a major breach in the state every 21/2 days.
The consequences can be costly, as 80sTees.com of Pennsylvania discovered when someone believed to be a former high-ranking employee accessed the identities of customers all over the country, including in California. The retro shirt seller stopped accepting credit cards for four months, launched a new website and blocked all employees from accessing clients’ financial information.
Many small firms know little or nothing about cybersecurity, according to the National Small Business Assn., despite the prevalence of data thefts. The trade group reported that 44% of respondents to a survey last year had been victims of at least one cyberattack, with an average $8,699.48 cost for each breach.
California’s size and wealth make its businesses a popular target, according to experts.
“We are absolutely facing an epidemic of attacks on our nation’s infrastructure and attempts to gain access to information,” said Jason Oxman, chief executive of the Electronic Transactions Assn. “But smaller merchants tend to be easier and more attractive targets for cyber criminals.”
At Rosenthal Wine Bar & Patio, a Malibu tasting room across the highway from the Pacific, small groups in sundresses and shorts lounged in wicker chairs under palm trees and strings of lights, mellow jazz setting the mood.
This year, the business — part of the Raleigh Enterprises network, which also includes Raleigh Studios and Hollywood Rentals — discovered malicious software on computer systems used to process credit card transactions at the wine shop.
Names, addresses, card account numbers, expiration dates and security codes may have been compromised, the company said in a March notification to customers.
The reaction was immediate. Wine shop customers started using cash instead of credit cards. Though Rosenthal’s wine club was safe from the hack, some members canceled subscriptions.
The incident resulted in tons of bad reviews on Yelp, the online directory, club manager Heather Ryon said. One commenter on the site said that within two days of visiting the wine shop, she found fraudulent charges on her credit card statement from online men’s stores.
“We have gone to extreme measures to make sure that this doesn’t happen again,” Ryon said. “Customers tend to be like family to us. We’d hate for anybody to feel like they’ve been betrayed by us.”
Only a handful of customers were affected by the breach, said Katherine Dimas, operations manager for Rosenthal Estate Wines, which worked with the FBI and boosted its security protocols in the aftermath.
Dimas encouraged other small businesses to run security scans on their payment systems and listen to customer complaints for red flags.
“It’s an era of fraud,” she said.
Companies that process, store or transmit credit and debit card data are expected by card companies and payment processors to abide by the Payment Card Industry Data Security Standard, a checklist of protocols known as PCI. But it’s not a federal requirement, and not all states mandate compliance. Many of the 8 million U.S. businesses that accept credit and debit cards don’t bother.
Investigators usually conduct audits only after a breach, to determine whether the company is liable for the fallout. Otherwise, proactive companies have to pay a fee for voluntary checkups.
“No entity has the bandwidth to check up on all of those,” Oxman said. “There’s just no way to stay on top of everyone.”
Small-business owners often leave themselves vulnerable to breaches by browsing social media or messaging friends on the same computer used to process financials, Oxman said. Others allow employees to log in to company networks remotely using easily stolen passwords or credentials.
Many don’t use anti-virus software because it seems costly or bothersome, and may not realize they’ve been breached until a payment card company notifies them of suspicious transactions.
“It’s an economic calculation for a small merchant — is it more expensive to secure the network, or pay for the damages that may result if not?” Oxman said. “But many don’t consider the possible reputational harm. If you’re a small business, you might not be able to withstand the drop in business that might result from a breach.”
At Orange County’s Silversage, the alarm over reputation rang loud and clear.
“We’re in the trust business,” said firm managing partner Sands.
Fortunately, he said, no clients have reported related fraudulent activity. Silversage advised all those affected to place fraud alerts on their credit files, offering them one free year of credit monitoring and identity theft protection services. And it advised all clients to secure the same protection for themselves and their children.
“These days, it should be just like having auto insurance,” Sands said.
He recommended that businesses hire security consultants to search for weak spots in data protection. Then, he said, they should plan exactly how they will notify and help protect anyone whose data are stolen.
“Having that notification plan,” Sands said, “is probably just as important for a business as having a disaster recovery plan for earthquake or fire.”