Analysis: Cotton Traders hack a warning for business

Last week, it emerged that retailer Cotton Traders had suffered an attack on its e-commerce servers, resulting in the theft of credit card details.

In many ways, Cotton Traders is an ordinary, mid-sized British business. The company, which is based in Altringham, Cheshire, was founded in 1987 by two former England rugby captains, Fran Cotton and Steve Smith. Today, Cotton Traders operates a mail-order business, including online sales, a wholesale operation and a network of stores. Its turnover now exceeds 50 million. It is not involved in high finance or technology; nor is it an e-commerce pure play. It is typical of thousands of companies around the country that have used the internet to expand their sales, with some success. Its website is clean, simple and easy to use, and is designed to appeal to the mass market.

So if Cotton Traders could fall victim to an online criminal gang, so could almost any business that trades on the net. The security breach took place in January, although it was only confirmed by the company earlier this month, and attracted media attention over the last few days.

As yet, no-one knows whether any Cotton Traders customers have been victims of credit-card fraud or identity theft; the company maintains that sensitive data was encrypted. It has notified the bank that processes its credit card transactions, and taken steps to improve security. The police are also investigating.

That, though, is unlikely to be the end of the matter. Although the BBC reported that the credit card details of up to 38,000 people might be at risk, Cotton Traders disputes the number (but is not releasing its own figures). And, although it said that its website "meets all leading industry security standards", it is not contacting customers to tell them that their details may have been compromised. Instead, customers are being told to contact their bank or credit card company.

Some security experts, though, are saying that the company should have done more. In the US, where data breach disclosure laws are already in place, it would have been forced to do so.

Disclosure laws

In California, SB 1386 - or the California Database Security Breach Notification Act - came into force in 2003. The Act has been credited with forcing companies to be much more open about data security breaches, and to take stronger action to prevent them occurring. And, as the most populous American state, laws made in Sacramento tend to influence the rest of the country. More than a dozen states are debating or drafting similar laws.

"The US has really benefited from breach disclosure laws," said Avivah Litan, a senior analyst at research firm Gartner. "We have not seen that in Europe yet. Why should people wait until they suffer a loss? With disclosure, they can cancel their account if need be."

Companies should also do more to ensure PCI or Payment Card Industry Data Security Standards compliance, Litan suggested. PCI compliance, she said, is not actively enforced for European companies, although it is more common in North America. "This does not mean there will be no breaches, but it does mean there will be more awareness of, and more work done, on security."

Litan pointed out that even companies such as Cotton Traders, which maintained that they had effective security measures in place, are vulnerable. One reason is that cyber-criminals are increasingly sophisticated and well-organised (see IT PRO's interview with Richard Archdeacon, from security vendor Symantec for more on how cyber-crime gangs are behaving more like professional IT development teams).

But analysts also believe that the number of attacks against online credit card processing systems, and the fraudulent use of fake cards online, is increasing as a result of the success of Chip and Pin in cutting fraud on the high street.

This could be tackled by introducing Chip and Pin for remote, or "cardholder not present", transactions. However, banks have been reluctant to do so because of the costs involved, and because it is the retailer, not the bank, that carries the cost of a fraudulent online credit card sale. Retailers alone, though, would not have the resources to prevent online card fraud altogether.

Reputational damage

What businesses can control is the way they react to an information security breach and how they go about limiting the damage. "Damage to consumer confidence and to business, especially within financial services, has been increasing (from fraud), although the full impact of e-crime is not widely understood," said Tom Salmond, a manager in e-crime and fraud technology at Ernst & Young.

Companies should, for example, look at how well their systems can respond to changes in security threats. Ernst & Young advised using fraud detection technologies that allow "power users", rather than IT, to update rules.

But organisations also need to update their business continuity plans to ensure that they cover information security failures, as well as physical threats such as fire or theft. A serious IT security breach might involve taking servers offline or suspending trading, yet not all businesses plan for such scenarios. Chief executives and chief information officers need to accept that whilst they try to prevent hacking attacks the business needs to be prepared if one does get through.

"Companies need to strike a balance between risk and responsiveness," said Stuart Anderson, from the defence and security practice at PA Consulting. "They need to focus on responding in the appropriate manner when things happen there will always be unexpected events." Prevention, recovery from an event and crisis management are all essential parts of a plan, he added.

And companies also need to look beyond IT, even if IT systems lead to a data breach. The technical fix to a hacking attack might be relatively quick to apply, but reputational damage can last much longer.

No-one can prevent every conceivable breach. But a quick, clear and open response to customers and shareholders can do much to shore up a company's reputation. This is a lesson that managers of SMBs should have learned, again.