To the money managers at Silversage Advisors in Irvine, Calif., it seemed like a no-brainer to store backup computer drives far from the main office to ensure seamless operations in case of a calamity.
Then professional burglars hit the home where the drives were kept, cracked open a safe bolted to the floor and made off with the financial records of hundreds of the firm’s affluent clients: names, addresses, Social Security and driver’s license numbers, and account information.
The lesson for Silversage and other small businesses is simple, said Daniel D. Sands, a managing partner at the firm: “It’s not a question of if you’re going to have identity theft. It’s a question of when — and are you prepared to deal with it?”
The big data breaches make headlines — such as the millions of consumers whose financial secrets were exposed by the Target Corp. hack and the Heartbleed software bug. But for every high-profile case, there are dozens of threats to confidential data held by everyday enterprises: wine shops, dentists’ offices, colleges, makers of dog tags, defense electronics, sports gear.
The examples are culled from a list of breaches maintained by the California attorney general. They expose an underside of U.S. commerce populated not only by omnipresent hackers, but by thieves who snatch office computers, disgruntled vendors who use purloined data to slander businesses and poach employees, and ex-employees who turn traitor for profit.
All private enterprises and government offices are required to alert potential fraud victims in such cases. If more than 500 Californians are affected, the institution must give the California attorney general’s office a copy of the advisory letter sent to potential victims. More than 380 of these letters have been posted since the program began in January 2012 — which equates to a major breach in the state every 2 1/2 days.
The consequences can be costly, as 80sTees.com of Pennsylvania discovered when someone believed to be a former high-ranking employee accessed the identities of customers all over the country. The retro-shirt seller stopped accepting credit cards for four months, launched a new website and blocked all employees from accessing clients’ financial information.
Many small firms know little or nothing about cybersecurity, according to the National Small Business Association, despite the prevalence of data thefts. The trade group reported that 44 percent of respondents to a survey last year had been victims of at least one cyberattack, with an average $8,699.48 cost for each breach.
California’s size and wealth make its businesses a popular target, according to experts.
“We are absolutely facing an epidemic of attacks on our nation’s infrastructure and attempts to gain access to information,” said Jason Oxman, chief executive of the Electronic Transactions Association. “But smaller merchants tend to be easier and more attractive targets for cybercriminals.”
This year, Rosenthal Wine Bar & Patio, a Malibu tasting room across the highway from the Pacific, discovered malicious software on computer systems used to process credit-card transactions at the wine shop.
Names, addresses, card account numbers, expiration dates and security codes may have been compromised, the company said in a March notification to customers.
The reaction was immediate. Wine-shop customers started using cash instead of credit cards. Though Rosenthal’s wine club was safe from the hack, some members canceled subscriptions.
The incident resulted in tons of bad reviews on Yelp, the online directory, club manager Heather Ryon said. One commenter on the site said that within two days of visiting the wine shop, she found fraudulent charges on her credit-card statement from online men’s stores.
“We have gone to extreme measures to make sure that this doesn’t happen again,” Ryon said. “Customers tend to be like family to us. We’d hate for anybody to feel like they’ve been betrayed by us.”
Only a handful of customers were affected by the breach, said Katherine Dimas, operations manager for Rosenthal Estate Wines, which worked with the FBI and boosted its security protocols in the aftermath.
Dimas encouraged other small businesses to run security scans on their payment systems and listen to customer complaints for red flags.
“It’s an era of fraud,” she said.
At Orange County’s Silversage, the alarm over reputation rang loud and clear.
“We’re in the trust business,” said firm managing partner Sands.
Fortunately, he said, no clients have reported related fraudulent activity. Silversage advised all those affected to place fraud alerts on their credit files, offering them one free year of credit monitoring and identity-theft protection services. And it advised all clients to secure the same protection for themselves and their children.
“These days, it should be just like having auto insurance,” Sands said.
He recommended that businesses hire security consultants to search for weak spots in data protection. Then, he said, they should plan exactly how they will notify and help protect anyone whose data are stolen.
“Having that notification plan,” Sands said, “is probably just as important for a business as having a disaster recovery plan for earthquake or fire.”