Data Breaches and Broken Trust

Show Notes

The digital age has transformed how businesses collect and store customer data, but with this convenience comes tremendous risk. Every minute, over 2,200 cyber attacks target U.S. businesses, making data breaches virtually inevitable for organizations of all sizes. The question isn't if your company will experience a breach, but when—and at what cost to your business and customer relationships.

Sean Gately, VP of Security Solutions at Bluefin, pulls back the curtain on the devastating impact of data breaches on customer trust. With nearly 60% of consumers reporting they would no longer trust a company following a breach, the damage extends far beyond immediate financial losses. Breached companies typically underperform competitors by 15% even three years later, demonstrating the lasting impact of security failures on business performance.

The financial implications are staggering. At an average cost of $9.63 million per breach in the United States, data security isn't merely a compliance issue—it's an existential business concern. These costs accumulate across multiple fronts: regulatory fines, legal settlements, customer notification expenses, credit monitoring services for affected individuals, and the extensive PR damage control required to salvage brand reputation. The Equifax breach alone resulted in costs exceeding $1.2 billion.

What makes this situation particularly concerning is the sophistication of today's cybercriminals. Data theft has evolved into a $30 billion global industry, with stolen social security numbers selling for $1 on the dark web, while passport information commands up to $1,000. E-commerce businesses and high-volume retailers face particular vulnerability, especially those slow to adopt modern security protocols.

The most effective protection strategy is surprisingly straightforward: devalue data through encryption and tokenization. By rendering sensitive information useless to unauthorized parties, businesses can dramatically reduce both the likelihood and impact of breaches. As Sean explains, "If you devalue all the data, when that breach happens and someone gets into your database, it's useless information they can't sell."

With changing privacy regulations across states and countries, staying compliant becomes increasingly complex. The wisest approach is implementing comprehensive data security that exceeds basic compliance requirements—protecting not just payment information, but all personally identifiable information throughout your ecosystem. Your customers' trust depends on it.

Chapters

• 0:00: Introducing Data Breach Protection
• 1:43: Bluefin's Role in Data Security
• 5:48: Impact of Breaches on Consumer Trust
• 10:00: The True Cost of Data Breaches
• 19:22: Most Vulnerable Industries and Targets
• 26:57: Data Privacy Regulations and Best Practices

Transcript

Speaker 1: 0:01

If you devalue all the data, you encrypt it, you tokenize it, and so when that data breach happens, that person gets into your database. It's useless information and they can't sell it, and then you don't have to worry about the extemporaneous damages that are going to come to you as a result.

Speaker 2: 0:32

Today, on Customer Land, sean Gately, vp of Security Solutions at Bluefin, and I are going to be talking about data breaches and the effect that has on customer trust. Before we get into any of that, sean, thanks for joining me. I really appreciate it.

Speaker 1: 0:41

Thank you so much for having me, Mike.

Speaker 2: 0:43

Of course I know we've been wrangling schedules for a while here, so glad that this finally you know schedules overlapped in a way that we could make this work. I've been looking forward to it. Just to set some context, maybe you could tell us a little bit about Bluefin and then your role there.

Speaker 1: 1:01

Yeah, certainly. Thanks so much, Mike, I appreciate it. So Bluefin is a global provider of payment and data security solutions and basically our focus has always been protecting sensitive data not only payment card data, but also personally identifiable information, or referred to as PII, protected health information, phi and we specialize in tokenizing and encrypting that data and masking it upon acceptance so that we basically sanitize a merchant's ecosystem in case of the inevitable data breach. We have been around for more than two decades. We serve over 35,000 companies around the world in verticals like healthcare, retail, grocery, petroleum, higher education, as well as government.

Speaker 2: 1:56

Is that all Just 35,000? Yeah, that's a huge, huge client base. So the payments ecosystem is this giant sprawling web chain or web, you choose your analogy and a million different components and activities happen between first part of transaction to settlement, as well as all the tracking that happens in between there and the. You know the security, the securitization if that's even the right word of each one of those main components. So for the lay person, explain to us where Bluefin sits in that chain.

Speaker 1: 2:43

Yeah.

Speaker 1: 2:43

So I think we're going to take a step back from that conversation, because payments was one thing and it was hey, here's my credit card, I want to buy your product and you're going to send it to me, whether you're in person or via e-commerce or web-type transactions.

Speaker 1: 3:02

So it has evolved so much further than that, whereas not only is it now I'm buying a product, but, like all of us, we sign up to the loyalty program, so we're giving people our name, our address, maybe our date of birth, in some cases additional PII information, so that information is out there in the ether and out on the web and that information has value to the people who are, quite frankly, bad players in the ecosystem.

Speaker 1: 3:35

So there's always this effort to go out and try and via data breach and steal that information and use it to do fraudulent credit card transactions. But, more importantly, you're talking about basically having your identity stolen. So where Bluefin sits in the middle of that is that we encrypt all credit card information so we remove that information outside of a merchant's ecosystem, but on top of that, we also have the ability to tokenize all of your personal information that comes across. So when that inevitable data breach occurs, there is no value to the data for the bad actor who actually breached the system, so they can't actually use that data and put it out into the dark web and resell that data. And so we kind of mitigate those challenges from a cybersecurity perspective, not only from a PCI compliance but also from a data privacy compliance perspective.

Speaker 2: 4:36

Gotcha, gotcha. Okay, so just to put a finer point on it, it's really not just the payments chain, it's even broader.

Speaker 1: 4:44

Wherever PII and PHI exists, bluefin has the ability to encrypt it and tokenize it and protect it 100%, and I myself personally and I share this story, even though I've been in the cybersecurity and encryption business for over a decade I've actually had my identity stolen three separate times and it's a pain for lack of a better description when that does occur, and it wasn't just only my credit card information but actually my identity. So our solutions that we provide here at Bluefin really address not only that payment aspect of it but, like I mentioned, also that PII aspect.

Speaker 2: 5:28

So we talk a lot on this podcast and on the site about data security from a compliance standpoint, but I think maybe even more importantly than that and we should probably put more focus on this is its effect on consumer trust. I mean, you know you get your data stolen a couple of times. You're going to start to become a little more sensitive to who you're doing business with and how you're doing business there. But you see that firsthand, I myself, knocking on wood as I say this, have not had my identity stolen because nobody really wants it. That's okay. It's a different story. But you see this stuff all day long. You see, probably have a view to the frequency and severity of these kinds of things. And then what is the effect on the consumer relationship after that?

Speaker 1: 6:27

Well, and I think that's a great question because, I would say, anyone who's within your listening audience and yourself possibly, within the last three or four months, received one of those letters that said, by the way, your credit card information has been compromised and we're going to provide you with two free years of credit monitoring credit monitoring and, to be honest with you myself personally, I think I have free credit monitoring if I live until I'm 150 years old, for the amount of times my credit card information has been stolen right. So that is always. Every single consumer within the marketplace globally, not only just in North America, have experienced that situation, and it's not only just that your information was compromised. But then, hey, we have to issue a new debit card and we're going to issue a new credit card and all the challenges that you have to go through, just as a typical consumer. So studies show that almost 60% of US consumers would not trust a company that falls victim to a data breach.

Speaker 2: 7:35

That's pretty severe. I mean, let's just spend a moment on that, because if the trust is gone from, say, a retailer or brand slash consumer relationship, if you just can't trust them, the foundation of that relationship is gone. I mean there's no more basis for any transactions after that. I mean I wonder, I wish I had data to kind of answer this. But once a data breach has occurred, yeah, okay, I wouldn't trust that company more. But I'll bet you that the percentage of customers who maybe dip that toe back in the water of doing business with them is really really small.

Speaker 1: 8:20

Yeah, no, without a doubt, and I can share an anecdote from way back in the day, back in, and we're going almost 10 years. And we're going almost 10 years.

Speaker 1: 8:35

You know the title data breach was the target data breach back in 2013, where they had tens of millions of card information breached, and I was actually outside of a Hilton right after that occurred and was drinking a cup of coffee and speaking to a gentleman who worked for AT&T doing the tower work, and I had mentioned to him that I was into the data security business and he's like, yeah, I was part of that target data breach and you want to know what?

Speaker 1: 9:01

I'm never going to go there again. Now, that's an anecdote, but you know, you're basically, statistically speaking, merchants and companies that experience a data breach are underperforming their competition by up to 15% three years later. Now you do have mega corporations that can overcome that with advertising and necessity for lack of a better description, of a better description. But once you get past those mega companies, they're still going to suffer, whether it's stock value, bad press, everything else that comes along. Once you have a major data breach, most companies are going to find that they're going to have a drop in business. They're going to have a drop in stock value and, more importantly, a drop in consumer trust and, more importantly, a drop in consumer trust.

Speaker 2: 9:58

So it really then becomes a question of return on investment for investing in services like yours versus an opportunity cost for not doing so. What is the risk and how do you quantify that? Because boiling that down to dollars and cents is pretty compelling.

Speaker 1: 10:09

Yeah, and that's one of the biggest challenges that myself personally face within this industry, because companies could say, hey, I'm compliant with all of the basic data regulations, so why would I want to invest in additional data security? But then, once they become that in our business, it's not a matter of if you get breached, it's a matter of when you get breached. Right, if you think about it statistically here in the US, there's over 2200 cyber attacks per minute in the United States, right? So whether you could have the best firewalls and the best data protection in the world, but if you really aren't devaluing all of the data that you have, you are going to become a victim of a data breach one way or another, At some point yeah.

Speaker 1: 11:00

Yeah, and so if you think about it here in the United States, from the IBM study, the average cost of a data breach in the US is $9.63 million. Wow, average cost of a data breach in the US is $9.63 million. And there's been a little bit of a change in the industry, where the value of data has come where it used to be. Hey, I want to have card holder data because I can then send that out on the black web and I can do a couple of million dollars of fraudulent transactions and walk away. But it's kind of evolved now to hey, let me not only steal your payment data, but let me steal your personal data as well. From a statistical perspective, on the black web, social security numbers go for $1. Drivers license numbers go for $20, $30 for credit cards and then $1,000 if someone steals your passport information. So it is the economic incentive around the world is that the more data that I can steal from a consumer, the better off I'm going to be and the more money I can make illicitly illicitly, Wow.

Speaker 2: 13:15

So I don't know if you have a view to this by virtue of what Bluefin is all about, but this conversation kind of begs the question. If a company has been hit, one, you kind of got to go, oops, I should have invested in some protection. But what happens after that? Are there ways that companies can kind of rebuild the trust after that? I mean, what do you suggest?

Speaker 1: 13:47

Because you've probably seen this before.

Speaker 1: 13:50

Yeah Well, in my opinion, the number one thing because, again, I live in this industry when companies sit there and find out a data breach has occurred, and they sit on it and they don't go public about it as soon as possible, that's the number one hit they're going to take from a consumer trust perspective.

Speaker 1: 14:07

There are laws and regulations, especially in the healthcare industry. They're much more stringent, but it is in any company's best interest that, the moment they identify that the data breach has occurred, that they immediately start reaching out, and reaching out to the customers who are affected, as well as the regulatory and legal entities that are required to do so. You're going to put yourself in a bad position because it's no longer in our industry of like hey, now you had card data stolen, so the PCI council is going to come after you and Visa and MasterCard and the card brands are going to come after you. It's going to be the class action lawsuits that follow and by being fully transparent when something occurs, but on top of being fully transparent fully transparent when something occurs, but on top of being fully transparent, it's also saying hey, I did everything I possibly could within my power From a security perspective and a cybersecurity perspective, companies are going to be able to mitigate the damages as a result of a data breach.

Speaker 2: 15:12

Yeah, I mean from the news that I follow and I try and keep a fairly good handle on it. If there's a significant data breach, it's almost always followed by a lawsuit Almost always and it would seem to me that a company's ability to show they followed best practices, they invested in the technology for protection wherever they could, is going to certainly mitigate probably some of the mistrust but also some of the damages you're going to have to pay out.

Speaker 1: 15:40

Oh, without a doubt. And now that, of course, from a litigation perspective, that there are hundreds of millions of dollars available. I mean, if you think about, one of the biggest data breaches we talk about is the Equifax one that ended up being $1.2 billion in fees, wow. And if you think about you know I talked a little bit earlier about, hey, I'm going to give you free credit monitoring. So for two years, for a premium credit monitoring. If you have an opt-in, so say, you have 3 million card data that was stolen from you, or personal data, and you go as an organization, offer two years of free credit monitoring, that could be $720. So if you think about you got 3 million or 30 million and 10% adopt that, just take that and multiply it by $720.

Speaker 1: 16:34

So, there were so many hidden costs behind the data breach. It's not only like, hey, I lost value in my stock and I've got fines from the industry, and I've got the attorney general yelling at me and I've got the card brands coming after me. It's all those hidden costs, you know. A perfect example which people don't understand is that when a breach happens and when that letter shows up in your mailbox to inform you by the way, we're sorry that your information was stolen, so you have 30 million people who got their information stolen. It costs an average of 54 cents to send the letter okay, add that up, yeah yeah, so the cost just keep multiplying and multiplying.

Speaker 1: 17:17

So, um, you know that's going to be the damage that you're going to receive. Hence why? From a bluefin's perspective, is if you devalue all the data, you encrypt it, you tokenize it, and and so when that data breach happens, that person gets into your database. It's useless information and they can't sell it, and then you don't have to worry about the extemporaneous damages that are going to come to you as a result.

Speaker 2: 17:45

So let me ask you this Again, by virtue of the fact that you deal with I think you said 35,000 different clients out there in a bunch of different industries. What are the most vulnerable industries out there and I want to follow that up with again, and maybe this is just anecdotal but who are the most vulnerable population segments out there? I mean, who's getting hit the hardest here? And I'm asking that from a B2B standpoint which sectors should really be paying attention to this?

Speaker 1: 18:22

And then on the consumer side too, yeah, certainly so, one of the new things that came out, and I don't want to get too nerdy here so PCI DSS 4.0, which is becoming mandatory at the end of on March 31st for all companies that accept payment data. I'd say the most vulnerable right now, starting number one, would be e-commerce focused businesses, because the ability to be able to intervene in regards to those checkout payment pages and steal data from that, that would be number one. Number two, when you're talking about high volume industries the convenience store industry, grocery store industry, when you're dealing with hundreds of millions, if not billions, of transactions because that's where the real money is and you have laggards in the industry that they're slowly adopting, hey, I want to encrypt, I got to be secure, but no one's going to be able to protect themselves from that one piece of malware. And then you think about AI and quantum computing and the ability from social engineering. As a result of those two types of technologies, it only takes one mistake. It takes that one employee that clicks on that one bad link that shows up in their email, that allows that malware to infect their system.

Speaker 1: 19:50

But yeah, the high volume industries are going to be the biggest target. One thing I've learned in my time in this industry is that the bad actors within our industry are like water. They follow the path of least resistance. So most of the major retailers out there that you have the Fortune 100 retailers have incorporated encryption and tokenization within their ecosystem. But there are still major retailers out there that are quote-unquote pci compliant but they hold millions of clear test card holder data sitting in a database that's protected with a password and sitting with a firewall and and and. That's where the real danger comes Having that card on file information and if you don't have it fully tokenized and secured, you're definitely opening yourself up to a bad situation.

Speaker 2: 20:49

So, having said that, because that's really interesting, are there segments of the population that you think are getting hit harder than others? Is it kind of just like look, it's just a great big money grab and, if you happen to be in the database, great. Or are they really going after certain kinds of people?

Speaker 1: 21:10

No, I think it's just a wide open vacuum, for lack of a better description. The value is going to be out there, you know, of course. I mean, if you are, you know you have an Amex black card. You know that's probably going to be more valuable than than somebody who's got a, you know, a bank of America debit card, right, but. But at the end of the day, it's volume. You know, there, and just as another anecdote that comes, I was working with a very large organization here in the US. The stolen credit card information go into the mobile app and then buy gift cards, and this company literally lost like $2 million in less than 38 hours 36 hours, wow. So they had to shut the app down and start over again. Wow. So they had to shut the app down and start over again, Wow, yeah. Any type of security protocol that someone's putting in place. There are literally tens of thousands of people around the globe that are trying to figure out how to hack it and steal it.

Speaker 2: 22:29

I just want to let that one hang in the air for a minute, because that's a big thought. If you say tens of thousands, it's not just a couple of people here and there, that's an industry.

Speaker 1: 22:37

Oh it is. It's a multi-billion dollar industry. I mean, credit card fraud itself is estimated on a global basis to be worth around $30 billion plus.

Speaker 2: 22:49

Yeah, that's an actual industry right there. Well, in terms of Bluefin's footprint, if you will, you said you're focused on all kinds of industries. What about the size of the business? Is it mostly an enterprise level solution, or is this available to mid-level, mid-size SMBs anybody but the large scale enterprises? Smbs anybody but the large-scale enterprises.

Speaker 1: 23:16

No, across the board. I mean Bluefin built its bones on the tier two, tier three merchants. So whether you're going to a dentist office or a hair salon or going to a basic small grocery store anything to that effect all the way up to the Fortune 10 companies we work with across the board.

Speaker 2: 23:40

And I would guess you do that through integrators and partners and SIs and things like that, or is it all kind of a direct sales effort?

Speaker 1: 23:48

Well, a combination of both. So one of the things that we did with our security ecosystem. So there are plenty of competitors of ours out there in the world today. The differentiator between Bluefin and the other hundreds of competitors that we have is that we decoupled our ecosystem. So we're agnostic for lack of a better description so companies can directly integrate to us. Major corporations can come in and take advantage of our security solutions. We also have integrated partners, gateways, processors, acquirers across the ecosystem that actually integrate into our ecosystem. That allows them to basically take advantage of what we do. I think the biggest differentiator from Bluefin and our competitors most of our competitors in this business their P2PE and cybersecurity business constitutes less than 1% of what they do here at Bluefin, it constitutes 95% of what we do. So we are a very solely focused organization in regards to. We're not a payments company that happens to be in data security. We're a data security company that happens to be involved in payments.

Speaker 2: 25:07

Gotcha, gotcha. Well, a lot to consider. Well, sean, I really appreciate the time. It would be great fun to reconvene in another I'm just pulling this out of a hat six, nine months or so and talk about the state of the industry and industry meaning the you know, the identity fraud, theft and the whole thing and see if it's grown, if it's shrinking which I can't even imagine and how Bluefin sees the ability to solve for those kinds of things.

Speaker 1: 25:41

Yeah, and I really appreciate that, mike. And in closing, data privacy legislation. Most companies have heard about GDPR. Right, that's the European regulation, and then you have CPPA, which is the Canadian regulation. Here in the United States, because of our wonderful 10th Amendment states, there isn't a single federal regulation that's going to be guarding about what data privacy rules and regulations are. Right now, they've been focused very much on what do you do with someone's data, but I think the evolution of the industry is going to be how are you protecting the data that you have? Yeah, but to your audience and to the merchants that also pay attention to this type of information, you really need to start looking at all of these data privacy regulations, because that's going to come on top of what PCI regulations are.

Speaker 2: 26:45

Right, right, and to complicate things even further, most of those states who either have regulations on the books or soon will, are changing them with such a frequency that I can't imagine how a merchant would keep up. I mean, I'm thinking of CCPA in California, like the attorney general out there. God bless him. But whoever this person is has a hard time making up their mind 100%, and those regulations are getting changed Every single legislative cycle.

Speaker 1: 27:19

Someone wants to jump in and the best practice in the world is just get rid of the value Do not hold clear text data within your ecosystem and look for solutions that are going to tokenize not only payment data but personal data name, address, phone number, driver's license number, date of birth and that's probably the best practice that I could recommend.

Speaker 2: 27:45

Good advice. Well, we'll put that out there in great big all caps when this podcast posts. But, Sean, thanks a million for your time and for your insight. I really appreciate it.

Speaker 1: 27:56

No problem, Mike a million for your time and for your insight. I really appreciate it. No problem, Mike. Thank you so much.